This step-by-step guide to assist in the configuration of ADFS 3.0 and Gorilla Expense to provide Single Sign on

Pre Requisites

Exporting the ADFS Token Signing Certificate

In order for the 3rd party online service to trust your Active Directory Federation Service and the authentication token provided to them you must provide them with the Token signing certificate applied to your Federation Service endpoint, you can export the Token signing certificate by following the steps below.

  • Open “Server Manager” and under the “Tools” section select “AD FS Management”
  • Wait for the AD FS Management page to load and expand the “Service” folder and then select the “Certificates” folder

  • Locate and right select the “Token-signing” certificate, and select “View Certificate”

  • On the Certificate popup, select the “Details” tab and check the signature hash algorithm. Make sure if it is sha1. If it is sha256, assign new “token signing” certificate with sha1 signature hash algorithm. Then come back to View Certificate->Details->select “Copy to File”
  • On the “Welcome to the Certificate Export Wizard” select “Next”
  • On the “Certificate Export Wizard” page select “Do Not Export Private Key”, then on the next screen select “DER encoded binary X.509 (.CER)” for the format

Note:    The Token signing certificate is a self-signed certificate any amendments to the certificate and or expiry will mean that the certificate will require exporting and re-assigning

  • Specify a path and name for the exported file and select “Next”,
  • Select “Finish”
  • Gorilla expense requires that this certificate be in PEM format. You can convert this certificate using client tools or even online tools such as: SSL Shopper. Use the DER/Binary certificate we just created and export it to Standard PEM format. Provide this .crt file to Gorilla Expense

Configuring the Relying Party in Active Directory Federation Services

To create a relying party trust using federation metadata follow the steps below

  • Open the ADFS Management console and select Relying Party Trusts.
  • Select Add Relying Party Trust… from the top right corner of the window

  • The add wizard appears. Click on start
  • Select Option Enter data about relying party manually
  • On the next Window, Enter Display Name as Gorilla Expense
  • Click next till you reach Configure URL screen. On this screen, select SAML SSO option and enter SSO login URL provided by Gorilla Expense (Mentioned in the Pre-Requisites section)

  • Click next till you reach the finish screen and then click close. On clicking close the “Edit Claim Rules” window will show up

  • You have to add two rules on this window
    1. Send LDAP Attribute as Claim
    2. Transform An Incoming Claim

  • Click on Add Rule to add the first rule and select Send LDAP Attribute as Claims as the claim rule template to use.
  • Give the claim a name such as Get LDAP Attributes.
  • Set the Attribute Store to Active Directory, the LDAP Attribute to E-Mail-Addresses, and the Outgoing Claim Type to E-mail Address.

  • Select Finish.
  • Select Add Rule to add the second rule
  • Select Transform an Incoming Claim as the claim rule template to use.
  • Give it a name such as Email to Name ID.
  • Incoming claim type should be E-mail Address (it must match the Outgoing Claim Type in rule #1. The Outgoing claim type is Name ID and the Outgoing name ID format is Email. Pass through all claim values and click Finish

  • On clicking finish, you should see the two rules added

  • Select the first and then the second rule and click Edit Rule button and then click View Rule Language… 

  • The rules should match the following:

Rule #1:

c:[Type == "", Issuer == "AD AUTHORITY"]  
=> issue(store = "Active Directory", 
types = (""), 
query = ";mail;{0}", param = c.Value);


Rule #2:

c:[Type == ""]
 => issue(Type = "", 
Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, 
= "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

Summary for Settings

Listed below is the information required to configure Gorilla Expense to use ADFS as the identity provider 

Login Redirect URL<GorillaExpenseSSOURL>

Logout Redirect URL /adfs/ls/?wa=wsignout1.0

Timeout Redirect URL /adfs/ls/?wa=wsignout1.0

Token Certificate Singing Algorithm


Relying Party Trust Identifier (replace with your domain name if hosting Gorilla Expense on-premise)

Mobile Redirect URL /adfs/ls/idpinitiatedSignon.aspx?loginToRp=https://<GorillaExpenseMobileSSOURL>