ADFS Integration Guide
Connect Microsoft Active Directory Federation Services (ADFS) to SecurePie for enterprise SSO with your on-premise Windows Server infrastructure.
Prerequisites
✓ Windows Server with ADFS
ADFS 3.0 (Windows Server 2012 R2) or later installed and configured
✓ Admin Access
Administrator access to ADFS Management Console
✓ SecurePie App Installed
SecurePie SSO app installed on your Shopify store
✓ Valid SSL Certificate
ADFS server must have a valid, publicly-trusted SSL certificate
SecurePie Service Provider Details
You'll need these values when creating the Relying Party Trust in ADFS:
SP Entity ID (Audience URI)
https://sso.securepie.comACS URL (Reply URL)
https://sso.securepie.com/api/auth/saml/callbackImportant
Copy these URLs exactly as shown. SAML is case-sensitive and even a trailing slash can cause errors.
Step-by-Step Configuration
Follow these detailed steps to set up ADFS with SecurePie. Each step includes exactly what to click and enter.
Get SecurePie SP Metadata
Copy the Service Provider details from SecurePie app
- Open SecurePie app in your Shopify admin
- Go to SSO Providers → Add New Provider → Custom SAML
- Copy the SP Entity ID: https://sso.securepie.com
- Copy the ACS URL: https://sso.securepie.com/api/auth/saml/callback
- Keep this tab open - you'll need these values in ADFS
Open AD FS Management Console
Access the ADFS server management interface
- Log in to your Windows Server running ADFS
- Open Server Manager from the taskbar
- Click Tools → AD FS Management
- Or press Win+R and type: AdfsConsole.msc
Start the Relying Party Trust Wizard
Navigate to add a new trusted application
- In the left panel, expand Trust Relationships
- Click on Relying Party Trusts
- In the right Actions panel, click "Add Relying Party Trust..."
- The wizard will open - click Start
Select Data Source
Choose how to configure the trust
- Select "Claims aware" (default) and click Start
- Choose "Enter data about the relying party manually"
- Click Next to continue
Specify Display Name
Name this trust for easy identification
- Enter Display name: SecurePie SSO
- Optionally add notes: "SSO for Shopify store"
- Click Next to continue
Configure Certificate (Optional)
Token encryption certificate setup
- This step is optional for SecurePie
- You can skip by clicking Next
- SecurePie accepts encrypted or unencrypted assertions
Configure URL
Set up the SAML endpoint
- Check the box: "Enable support for the SAML 2.0 WebSSO protocol"
- Enter the Relying party SAML 2.0 SSO service URL:
- https://sso.securepie.com/api/auth/saml/callback
- Click Next to continue
Configure Identifiers
Set the Entity ID / Audience URI
- In the "Relying party trust identifier" field, enter:
- https://sso.securepie.com
- Click Add to add it to the list
- Verify it appears in the identifiers list below
- Click Next to continue
Choose Access Control Policy
Set who can authenticate
- Select "Permit everyone" to allow all AD users
- Or choose a custom policy to restrict access
- Click Next to continue
Review and Finish
Complete the wizard
- Review all settings on the summary page
- Check "Configure claims issuance policy for this application"
- Click Next, then Close
- The Claim Rules editor will open automatically
Add Claim Rule: Send LDAP Attributes
Configure user attributes to send
- Click "Add Rule..." in the Claim Rules dialog
- Select template: "Send LDAP Attributes as Claims"
- Click Next
- Rule name: "Send User Attributes"
- Attribute store: Active Directory
- Add mappings: E-Mail-Addresses → E-Mail Address
- Add mappings: Given-Name → Given Name
- Add mappings: Surname → Surname
- Click Finish
Add Claim Rule: Transform to NameID
Convert email to SAML NameID format
- Click "Add Rule..." again
- Select template: "Transform an Incoming Claim"
- Click Next
- Rule name: "Email to NameID"
- Incoming claim type: E-Mail Address
- Outgoing claim type: Name ID
- Outgoing name ID format: Email
- Select "Pass through all claim values"
- Click Finish, then OK
Export ADFS Certificate
Get the token-signing certificate for SecurePie
- In ADFS Management, go to Service → Certificates
- Double-click the Token-signing certificate
- Go to Details tab → Copy to File...
- Click Next, select "Base-64 encoded X.509 (.CER)"
- Save the file to your desktop
- Open the .cer file in Notepad
- Copy the content between BEGIN and END CERTIFICATE lines
Get ADFS Federation URLs
Copy the IdP values for SecurePie
- In ADFS Management, click on Service
- Note the Federation Service Identifier (Entity ID)
- Your SSO URL is: https://[your-adfs-server]/adfs/ls
- Your Logout URL is: https://[your-adfs-server]/adfs/ls/?wa=wsignout1.0
Configure SecurePie
Enter ADFS details to complete setup
- Go back to SecurePie app in Shopify admin
- Paste the IdP Entity ID (Federation Service Identifier)
- Paste the SSO URL (your ADFS login URL)
- Paste the certificate content (without BEGIN/END lines)
- Click Save and test the connection
Claim Rules Reference
If you prefer to add claim rules via PowerShell or need the raw rule syntax:
Claim Issuance Rules
// Rule 1: Send LDAP Attributes as Claims
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"), query = ";mail,givenName,sn;{0}", param = c.Value);
// Rule 2: Transform Email to Name ID
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");Values to Copy from ADFS
After configuring ADFS, you'll need these values for SecurePie:
IdP Entity ID (Federation Service Identifier)
Find in: ADFS Management → Service → right-click Service → Properties → Federation Service identifier
Example: http://adfs.yourcompany.com/adfs/services/trustIdP SSO URL
Your ADFS server URL + /adfs/ls
Example: https://adfs.yourcompany.com/adfs/lsX.509 Token-Signing Certificate
Export from: ADFS → Service → Certificates → Token-signing
- Double-click the token-signing certificate
- Go to Details tab → Copy to File...
- Click Next, choose "Base-64 encoded X.509 (.CER)"
- Save the file and open it in Notepad
- Copy everything between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
- Paste into SecurePie (do not include the BEGIN/END lines)
Troubleshooting
Signature validation failed
Solution: Re-export the token-signing certificate from ADFS → Service → Certificates. Make sure to export as Base-64 (.CER) and remove the BEGIN/END headers when pasting.
Audience mismatch / Invalid recipient
Solution: Verify the Relying Party Trust identifier matches exactly: https://sso.securepie.com (no trailing slash). Check the ACS URL is https://sso.securepie.com/api/auth/saml/callback
NameID not found in assertion
Solution: Ensure you have the claim rule to transform Email to NameID. Check that users have email addresses populated in Active Directory.
ADFS page not loading / Connection timeout
Solution: Verify ADFS is accessible from the internet (port 443). Check firewall rules and ensure the SSL certificate is valid.
Clock skew / Assertion expired
Solution: SAML assertions have time validity. Ensure ADFS server time is synchronized via NTP. Default tolerance is 5 minutes.
Need Help?
ADFS configuration can be complex. Our support team has experience with enterprise ADFS deployments and can help you get set up quickly.