SSO setup - ADFS (SAML 2.0)

Fill out this contact form to trial or subscribe to the SSO feature.

Splashtop now supports logging in and Splashtop Business app using the credential created from your SAML 2.0 identity providers. Please follow the below instructions to create a Relying Party Trust with AD FS.

Create a Relying Party Trust with AD FS

Follow Microsoft document to create a Relying Party Trust, please check only To create a claims aware Relying Party Trust manually section:

Follow steps 1 to 6 in the document. (Select AD FS 2.0 Profile)

At step 7, Configure URL page, select the Enable support for the SAML 2.0 WebSSO protocol checkbox. Under Relying party SAML 2.0 SSO service URL, type "", then next.


At step 8, Configure Identifiers page, add and

Note: no "/" at the end of these paths

Add a claim

1. Select the Relying Party Trust you just created, click Edit Claim Insurance Policy.

2. Click Add rule, select Send LDAP Attributes as Claims, then next.


3. Select Active Directory as Attribute store, then add E-Mail-Address and User-Principal-Name.
E-Mail-Address: E-mail Address
User-Principal-Name: Name ID 


Add another claim

1. Add another rule with Claim rule template Transform an Incoming Claim.

2. Set up Name ID.
Incoming claim type: E-mail Address
Outgoing claim type: Name ID
Outgoing name ID format: Email 



If you get this error message when trying to login, please check the ADFS logs.


If you have a similar error in your ADFS log below, please remove the mapping between “User-Principal-Name” and “Name ID” from Send LDAP Attributes as Claims.

Exception details:

Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.DuplicateNameIdentifierPolicyException: MSIS3046: More than one SamlNameIdentifierClaimResource-based claim was produced after processing policy for scope ''.

at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)

at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)

at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet, List`1 additionalClaims)

at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, List`1 additionalClaims)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)


Apply for an SSO method from

Now you can follow the instruction to insert required info to apply for an SSO method:


a. You should have your own login URL and Issuer to insert on
Example (Note: http versus https for your URL):
b. Follow below instructions to get your X.509 info to insert on

Click Service -> Certificates -> View Certificate on the Action menu on the right side. (You should already installed IIS with your certificate.)
Click Details on the Certificate window, and then click Copy to File”4, and choose Base-64 encoded X.509.


Right-click on the exported certificate, then copy the info to paste in the corresponding field on



0 out of 0 found this helpful