Follow these instructions to set up AD FS single sign on for your organization on Lexio.


Upon successful complete of these instructions, reach out to your Narrative Science customer success resource for final verification of set-up.




1. Create a Lexio Relying Party Trust in the AD FS instance

  1. Start the Add Relying Part Trust wizard within AD FS

  2. Select Claims aware on the Welcome page, and then click Start.

  3. Select Enter data about the relying party trust manually on the Select Data Source page, and click Next

  4. Enter the name of the relying party on the Specify Display Name page: urn:auth0:lexio-prod:$CONNECTION_NAME

    1. Replace $CONNECTION_NAME with the name of the Auth0 SAML connection.

  5. Click Next on the Configure Certificate page

  6. Check the box for Enable support for the SAML 2.0 WebSSO Protocol on the Configure URL page.

    1. The wizard then requests a trusted Relying party SAML 2.0 service URL.

      1. Enter https://auth.lexio.narrativescience.com/login/callback?connection=$CONNECTION_NAME

        1. Replace $CONNECTION_NAME with the name of the Auth0 SAML connection.

  7. Add urn:auth0:lexio-prod:$CONNECTION_NAME to the Relying Party Trust Identifier on the Configure Identifiers page.

    1. Replace $CONNECTION_NAME with the name of the Auth0 SAML connection.

  8. Select Permit Everyone on the Choose Access Control Policy page, and then click Next

  9. Click Next on the Ready to Add Trust page. You'll be presenting with a Finish page.

  10. Check the Configure claims issuance policy for this application checkbox on the Finish page, and click Close.


2.  Claims Issuance Policy

  1. After clicking Close on the Add Relying Party Trust wizard, you'll be presented with the Edit Claims Issuance Policy wizard

  2. Click Add Rule

  3. Select Send LDAP Attributes as Claims when configuring the Claim Rule Template, and click Next.

  4. Enter a value for the Claim Rule Name

    1. The IT admin will probably have a personal preference here — it can be anything.

  5. Choose Active Directory as the Attribute Store

  6. Map LDAP attributes to the following claim types:
      ℹ️ Always include the outgoing Name ID claim. Ensure that all of the claims below are included, but the IT Admin can add additional mappings if they desire.

LDAP AttributeOutgoing Claim
E-Mail-AddressesE-Mail Address
Display-NameName
User-Principal-NameName ID
Given-NameGiven Name
SurnameSurname


  1. Click Finish, and then click Apply in the Edit Claims Issuance Policy window.

3. Update the Relying Party Trust Entity ID

  1. Select AD FS → Relying Party Trust from the left-hand navigation panel

  2. Select the Relying Party Trust created in Step. 1.

  3. Select the Identifiers tab.

  4. Enter urn:auth0:lexio-prod:$CONNECTION_NAME in the Relying Party Identifier field. Click Add to add the identifier to the list of known and trusted identifiers.

    1. Replace $CONNECTION_NAME with the name of the Auth0 SAML connection.


4. Export Signing Certificate

  1. Select AD FS → Service → Certificate from the left-hand navigation panel

  2. Select Token-Signing certificate, and right click on the certificate to select View Certificate

  3. Click Copy to File... from the Details tab. This will launch the Certificate Export Wizard

  4. Click Next on the first page of the Certificate Export Wizard

  5. Choose Base-64 Encoded X.509 (.cer). Click Next

  6. Select the desired export location. Click Next

  7. Click Finish to export the certificate.


5. Once Steps above are Complete, please send the Lexio team the following information:

  • Sign In URL

  • Signing Certificate