How to configure Single Sign-On to Continu using Active Directory Federation Services (ADFS) as the identity provider, via SAML 2.0.
Continu supports SAML 2.0 single sign-on. When configured, users authenticate through your identity provider rather than entering Continu-specific credentials. The integration handles login, plus optional attribute pass-through (first name, last name, additional fields).
This guide covers Active Directory Federation Services (ADFS) specifically. For other identity providers, see the related articles linked below. For the strategic context on user provisioning and identity, see Provisioning and Sync: How User Data Flows Into Continu.
Requirements
To configure ADFS as the SAML identity provider for Continu, the following components are required:
An Active Directory instance where all users have an email address attribute.
A Continu instance.
A server running Microsoft Server 2012 or 2008. This guide uses Server 2012R2 screenshots; similar steps work on other versions.
An SSL certificate to sign the ADFS login page, plus the fingerprint for that certificate.
Configuring and installing ADFS itself is beyond the scope of this guide — see Microsoft's documentation for that. The steps below assume ADFS is already installed and functional.
How to Configure ADFS for Continu
1. Add Continu as a Relying Party Trust. In ADFS Management, navigate to Trust Relationships > Relying Party Trusts and select Add Relying Party Trust.
2. Skip the metadata import. Choose Enter data about the relying party manually.
3. Name the trust. Use a name that identifies it as Continu (e.g., Continu SAML). Continue through the wizard.
4. Skip the encryption certificate.
5. Enable the SAML 2.0 WebSSO protocol. Set the URL to https://[yourdomain].continu.co/saml/consume — replace [yourdomain] with your Continu subdomain.
6. Add the Relying Party Trust identifier. Use https://[yourdomain].continu.co/saml/sp.
7. Skip the multi-factor authentication step.
8. Permit all users to access this relying party.
9. Complete the wizard. Leave "Open the Edit Claim Rules" checked at the end.
10. Configure Claim Rules. In the claim rules editor:
Rule 1: Send LDAP Attributes as Claims. Map LDAP attributes to outgoing claim types. At minimum, map: E-Mail-Addresses to email, Given-Name to firstName, Surname to lastName.
Rule 2: Transform an Incoming Claim. Transform the email claim to NameID format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
11. Export the ADFS metadata. Visit https://[your-adfs-server]/FederationMetadata/2007-06/FederationMetadata.xml in a browser. Save the XML file.
12. Configure Continu. In Continu, go to Admin > Integrations and select SAML 2.0. Upload the ADFS XML metadata file (or paste the URL).
13. Set bindings. Choose HTTP-Post or HTTP-Redirect to match your ADFS configuration.
14. Save the integration.
Configuration Pitfalls
SSL Certificate Issues. Self-signed or expired SSL certificates on the ADFS server cause SAML failures that often appear as login errors with no clear cause. Verify the certificate is valid and trusted.
NameID Format Mismatch. The NameID format must be emailAddress for Continu to match users. If the transform claim rule isn't set up correctly, users authenticate against ADFS successfully but Continu can't match them to user records.
Email Attribute Missing in AD. The integration assumes every AD user has an email address attribute. Users without email addresses can't authenticate.
Wrong Binding Selected. ADFS typically binds to HTTP-Redirect for the SSO request and HTTP-Post for the response. Selecting the wrong binding in Continu produces authentication failures.
Firewall Blocking ADFS Metadata URL. If Continu can't reach the ADFS metadata URL during setup (firewall, internal-only DNS), download the XML manually and upload it instead.
Where This Fits
You're here because you're configuring ADFS SSO for Continu. For other identity providers, see the related articles. For the broader provisioning context, see Provisioning and Sync: How User Data Flows Into Continu.
See Also
- Provisioning and Sync: How User Data Flows Into Continu — the strategic anchor.
- Setting Up Single Sign On via Okta — Okta setup.
- Single Sign on via Google — Google Workspace setup.
- Single Sign on via JumpCloud — JumpCloud setup.
- Single Sign On via OneLogin — OneLogin setup.