Setting up Microsoft AD FS SSO for signing in to Cloudinary

Sign in with SSO is a feature available for customers on Enterprise / Custom Plans.

In order to set up your account for AD FS SSO, please follow these steps:

Note: Different versions of Windows Server and AD FS might differ slightly in their UI

1. Open the AD FS console, click "Add Relying Party Trust…" in the Actions pane, choose “Claims aware” and click Start in the wizard.
2. Select "Enter data about the relying party manually", click Next.
3. Enter Cloudinary as a display name, click Next.
4. Select "AD FS profile", click Next.
5. You won't need a token encryption cert, click Next.
6. Check the box "Enable support for the SAML 2.0 WebSSO protocol", 
7. Relying party SAML 2.0 SSO service URL box should be https://cloudinary.com/saml/consume - click Next.
8. Enter your Cloudinary cloud name (available on https://cloudinary.com/console Dashboard) in the "Relying party trust identifier field", and click Next.
9. Configure multi-factor authentication or skip if not required
10. Select which users you permit to access Cloudinary, click Next. Please note that Cloudinary does not auto-provision users by default, so users that were not defined in the Cloudinary account will not have access even if you permit all users to access this app.
11. Review, click Next, and Close
12. Click “Edit Claim Issuance Policy…”
13. Choose the Issuance Transform Rules tab and click "Add Rule…".
14. Select Send LDAP Attributes as Claims and click Next.
15. Enter a Claim rule name, such as Get Attributes, then set the Attribute store to Active Directory, type in E-Mail-Addresses for the first LDAP attribute and set its outgoing type to E-Mail Address. Click Finish when you are done.
16. Click Add Rule… on the Issuance Transform Rules tab again.
17. Select Transform an Incoming Claim and click Next.
18. Enter a Claim rule name, such as Name ID Transform, set Incoming claim type to E-Mail Address, set Outgoing claim type to Name ID, and set Outgoing name ID format to Email. Select Pass through all claim values and click Finish.
19. Click OK on the Edit Claim Rules dialog.
20. Go to Trust Relationships > Relying Party Trusts and open the Properties dialog for Cloudinary. Select the Advanced tab, then change the secure hash algorithm to SHA-1 and click OK.
21. This step is required only when Forms Authentication is not enabled. Note that enabling Forms Authentication will apply to all sites configured.
1. Go to Authentication Policies and click Edit under Primary Authentication Global Settings.
2. Under Intranet, check Forms Authentication and click OK. Alternatively, you can use forms as a fallback authentication method for Intranet using the following PowerShell command: 
   Set-AdfsGlobalAuthenticationPolicy -PrimaryIntranetAuthenticationProvider @('WindowsAuthentication','FormsAuthentication')
22. Obtain your metadata URL. On the screen that appears, under the 'Sign On' tab, there should be a link 'Identity Provider Metadata'. Copy that link (it should look like:  https://sts.<your domain>/federationmetadata/2007-06/FederationMetadata.xml).
23. Log in to your Cloudinary account and under the Users tab in the Settings page (https://cloudinary.com/console/settings/users) you can paste in the metadata URL and save your changes.

Good luck!