Setting up Microsoft AD FS SSO for signing in to Cloudinary

Sign-in with SSO is a feature available for customers on Enterprise / Custom Plans.

In order to set up your account for AD FS SSO, please follow these steps:

Note: Different versions of Windows Server and AD FS might differ slightly in their UI

1. Open the AD FS console, click Add Relying Party Trust… in the Actions pane, choose Claims aware and click Start in the wizard.
2. Select Enter data about the relying party manually and click Next.
3. Enter Cloudinary as a display name and click Next.
4. Select AD FS profile and click Next.
5. Since you won't need a token encryption cert, click Next.
6. Check the box Enable support for the SAML 2.0 WebSSO protocol
7. Set Relying party SAML 2.0 SSO service URL to https://cloudinary.com/saml/consume - and click Next.
8. Enter your Cloudinary cloud name (available in your account dashboard) in the Relying party trust identifier field and click Next.
9. Configure multi-factor authentication or skip if not required
10. Select which users you permit to access Cloudinary and click Next. Please note that Cloudinary does not auto-provision users by default, so users that were not defined in the Cloudinary account will not have access even if you permit all users to access this app.
11. Review, click Next, and Close
12. Click Edit Claim Issuance Policy…
13. Choose the Issuance Transform Rules tab and click Add Rule….
14. Select Send LDAP Attributes as Claims and click Next.
15. Enter a Claim rule name, such as Get Attributes,  and set the following settings:
    •  Attribute store to Active Directory
    • E-Mail-Addresses for the first LDAP attribute and set its outgoing typ to E-Mail Address.
    • Click Finish.
16. Click Add Rule… on the Issuance Transform Rules tab again.
17. Select Transform an Incoming Claim and click Next.
18. Enter a Claim rule name, such as Name ID Transform, and set the following settings:
    • Incoming claim type to E-Mail Address, 
    • Outgoing claim type to Name ID, 
    • Outgoing name ID format to Email.
    • Select Pass through all claim values and click Finish.
19. Click OK on the Edit Claim Rules dialog.
20. Go to Trust Relationships > Relying Party Trusts and open the Properties dialog for Cloudinary. Select the Advanced tab, then change the secure hash algorithm to SHA-1 and click OK.
21. This step is required only when Forms Authentication is not enabled. Note that enabling Forms Authentication will apply to all sites configured.
    • Go to Authentication Policies and click Edit under Primary Authentication Global Settings.
    • Under Intranet, check Forms Authentication and click OK. Alternatively, you can use forms as a fallback authentication method for Intranet using the following PowerShell command: 
      

      Set-AdfsGlobalAuthenticationPolicy -PrimaryIntranetAuthenticationProvider @('WindowsAuthentication','FormsAuthentication')

22. On the screen that appears, under the Sign On tab, there should be a link Identity Provider Metadata with the following format:

    https://sts.<your domain>/federationmetadata/2007-06/FederationMetadata.xml

23. Log in to your Cloudinary account with a Master Admin user (If you do not have this role, please contact one of the master admin's in the account to add it for you.) and navigate to the Users Tab of your Settings area, paste in the metadata URL above, and save your changes.