Meet ComplAIIntelligence: Your AI-powered teammate for risk & complianceLearn more
All integration guides

Help Center · Integration guide

Microsoft AD FS

Complete reference for Microsoft AD FS — product details, ComplAI connection steps, GRC evidence mapping, and troubleshooting. All information is hosted in the Propel Ready Solutions Help Center.

Product information

Active Directory Federation Services for on-premises SSO.

Deployment
On-premises
Installed in your data centre or private cloud. May require an on-network connector, agent, or VPN for ComplAI to reach APIs.
Categories
SSO

Key capabilities

  • SAML
  • WS-Federation
  • AD integration
  • Claims rules

Typical use cases

  • Federated single sign-on for SaaS and internal applications
  • Application access inventory for periodic access reviews

Connection methods

  • SAML/OIDC metadata exchange
  • IdP admin API for app assignments
  • SCIM app provisioning logs
  • Access report exports

Documentation topics

Review the following areas in Microsoft AD FS admin and product documentation before connecting to ComplAI:

  • Admin console setup and service account creation
  • API authentication, scopes, and rate limits
  • Audit log export and retention settings
  • Security hardening and least-privilege configuration

ComplAI integration overview

Microsoft AD FS integrates with ComplAI to support Propel Ready Solutions's GRC program. Active Directory Federation Services for on-premises SSO. This guide covers product context, the recommended connection process, prerequisites, and verification steps for audit-ready evidence collection.

Last updated: 2026-06-24

GRC evidence available

  • Federated application catalog
  • User-to-app assignments
  • MFA policy compliance
  • Failed authentication trends
  • SAML metrics and configuration evidence
  • WS-Federation metrics and configuration evidence

Prerequisites

  • Named integration owner and backup contact at Propel Ready Solutions
  • Change request approved per Propel Ready Solutions change management policy
  • Network egress allowlisting completed if required by vendor
  • ComplAI organization administrator access
  • Admin or integration-builder role in Microsoft AD FS
  • Microsoft AD FS product documentation reviewed (see Documentation topics below)
  • On-premises connector or agent deployed in approved network zone

Integration process

  1. Step 1

    Plan Microsoft AD FS integration scope

    Confirm which SAML and WS-Federation capabilities will be connected first. Start with read-only ingestion before enabling write actions.

  2. Step 2

    Inventory federated applications

    List all SaaS and internal apps using SSO; record SAML/OIDC metadata URLs and attribute mappings.

  3. Step 3

    Configure SSO federation metadata

    Exchange IdP/SP metadata with application owners and enforce MFA at the identity provider for all SSO apps.

    • Validate NameID / subject mapping for each application
    • Disable local accounts where SSO is mandatory
    • Configure session timeout and re-authentication for sensitive apps
  4. Step 4

    Connect ComplAI for access evidence

    Pull application assignment reports from the SSO/IdP platform to support access reviews.

  5. Step 5

    Test failover and break-glass

    Document emergency access procedures and test break-glass accounts quarterly.

  6. Step 6

    Mark integration complete in ComplAI

    Update integration status to Connected, attach configuration evidence, and link mapped controls in the Controls library.

GRC benefits

  • Federated authentication evidence for access control policies
  • Reduced password sprawl and enforced MFA at the identity provider
  • Application access inventory for access reviews and SOC 2 CC6.1

Related controls

ISO A.5.15ISO A.5.16ISO A.8.5SOC 2 CC6.1SOC 2 CC6.6

Verification checklist

  • Integration credentials stored securely and rotation scheduled
  • Test sync completed successfully with sample records
  • Error alerting configured for failed sync or API rate limits
  • Control mappings documented in ComplAI
  • Evidence sample exported and reviewed by control owner
  • Runbook link attached to related controls

Troubleshooting

Authentication or API permission errors

Verify API scopes, token expiry, and service account status in the vendor admin console. Regenerate credentials if needed.

Partial or stale data in ComplAI

Check sync schedule, pagination limits, and filter rules. Run a full reconciliation sync after correcting configuration.

Network connectivity failures

Confirm firewall egress rules, proxy settings, and IP allowlists on both sides of the integration.