Configure ADFS 4 to Authenticate Users in LDAP v3-Compliant Directory

Recently, I wrote a blog series about how to configure ADFS as the Identity Provider for Adxstudio Portal.   The links to the series can be found at the end of this post.  In this article, I will describe how we can configure ADFS to authenticate users in an external LDAP v3-Compliant directory.  Let me explain this in another way.


Let’s say you are an employee of a large organisation.  Your organisation has multiple divisions with different active directory domains, possibly because of acquisitions/mergers or for security reasons.  In your division (let’s call it the Division X), has number of applications that is used by internal staff in Division X.  Some of the applications are Dynamics 365 (CRM) and Adxstudio Portal.  Division Y is interested in you applications and would like to use Adxstudio Portal.  You don’t want to add all employees of Division Y in to your Division X Active Directory.  You want them to use their own AD credentials from Division Y active directory to authenticate.

ADFS External LDAP v3 Directory


In order for AD FS to authenticate users from an LDAP directory, you must connect this LDAP directory to your AD FS farm by creating a local claims provider trust. A local claims provider trust is a trust object that represents an LDAP directory in your AD FS farm.

Using ADFS 4.0, we can quickly create local claims provider trust (after reading this article of course :)).

Note:  Before you configure ADFS, make sure you have a username and password of a service account which has access to the external LDAP directory.  Also make sure you have physical connection between the two ADFS farms.

Configure AD FS to authenticate users stored in LDAP directories

You can configure this by running the below PowerShell script.  For detailed description, please refer to this article.

Username Mapping

One of the key requirements was the ability to use the username field as username without the domain.  For example, if the DOMAIN\USERNAME was DIVY\nadeeja, we wanted to simply use nadeeja as the username without DIVY.  To achieve this we changed two attributes.

  1. -AnchorClaimLdapAttribute
  2. -AnchorClaimType

-AnchorClaimLdapAttribute was set to sAMAccountName and

-AnchorClaimType was set to “

Once you run this command, you’ll get a second option in ADFS login screen.

Gotcha 1

Once of the things I was stuck on was I was getting username not found errors.  The active directory path of the external directory was “OU=Staff,DC=dyn365apps,DC=internal”. All staff accounts were in Staff OU.  When we configured this path as the -UserContainer, I was getting errors.  Then I went to a level higher and included “DC=dyn365apps,DC=internal” as the active directory path and it worked!

Gotcha 2

ADFS Login page included some client side validation.  For example, it checks if the username in DOMAIN\USERNAME or USERNAME@FQDN format.  Our requirement was to login using only Username.  This created a problem because the client side validation code was rejecting our Username.  Luckily, ADFS provides a method to update the scripts on the ADFS login page using PowerShell scripts.  More details can be found here.


  1. Export the current ADFS Web Theme
  2. Create a new ADFS Web Theme based on the current Web Theme
  3. Make the required changes to the onload.js file
  4. Add the onload.js file to the Web Theme
  5. Set the new Web Theme as the active Web Theme

Changes in onload.js

Rewire form validation by changing the Login.submitLoginRequest function which doesn’t enforce domain name in username field.

Add following event listeners to make sure the above code runs on page load.

Complete Code


You can easily configure ADFS to allow external LDAP v3-complaint directory to authenticate users by running a PowerShell Script.  Pay attention to active directory path of the AD users and use one level up.  ADFS Login page can be customised including the onload.js JavaScript file to add/remove validation rules.  Do not directly change the existing ADFS Web Theme.  Always create a new theme based on an existing theme and activate the new theme.

Thank you for visiting

Follow me on Twitter to get the latest news, tips and tricks and more …

Until next time…

About the Author

Nadeeja Bomiriya is a Microsoft MVP, Technical Architect, and Microsoft Solutions Delivery Lead who lives in Melbourne, Australia.

Related Articles

[Integration] ADFS as the Identity Provider for AdxstudioPart 1 – Overview

[Integration] ADFS as the Identity Provider for Adxstudio – Part 2 – Configure ADFS Server

[Integration] ADFS as the Identity Provider for Adxstudio – Part 3 – Configure Relying Party Trust

[Integration] ADFS as the Identity Provider for Adxstudio – Part 4 – Configure Web Application Proxy

[Integration] ADFS as the Identity Provider for Adxstudio – Part 5 – Publish an Application in Web Application Proxy

[Integration] ADFS as the Identity Provider for Adxstudio – Part 6 – Configure Adxstudio



[How To] Configure ADFS 4.0 to Authenticate Users in LDAP v3-Compliant Directory
Tagged on: