Lifesize Admin Console

Last Updated: Jul 03, 2025

Configure using AD FS

These instructions assume you are using Microsoft Active Directory Federated Service identity framework (AD FS) 2.0. If you are using a later version, make sure that Intranet Forms Authentication is enabled (Authentication Policies > Primary Authentication > Intranet Forms Authentication).

Configure AD FS

  1. Sign in to your AD FS management console.
  2. In the left navigation pane, select Relying Party Trust. In the right navigation pane, click Add Relying Party Trust.
  3. Click Start.
  4. In Select Data Source, choose Enter data about the relying party manually.
  5. In Specify Display Name, enter a name (for example, Lifesize Cloud) for the relying party you are creating (plus any notes).
  6. Choose AD FS 2.0 profile.
  7. Navigate to Service > Certificates.
  8. Select Token Signing Certificate and right-click to open Properties. In the details pane of the certificate, export to a Base-64 CER file.
  9. Open the Base-64 CER file in a text editor and paste the contents into the X.509 certificate section in the admin pane, making sure to include the -Begin- and -End- sections.
  10. Copy and save the Lifesize X.509 security certificate to a file named lifesize.crt.

    -----BEGIN CERTIFICATE-----
    MIIECTCCAvGgAwIBAgIUDycfSG6rbx7+lBXysOO5v+j0yoswDQYJKoZIhvcNAQEL
    BQAwgZMxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOSjEQMA4GA1UEBwwHTWF5d29v
    ZDEjMCEGA1UECgwaRW5naG91c2UgSW50ZXJhY3RpdmUsIEluYy4xGjAYBgNVBAMM
    EWxpZmVzaXplY2xvdWQuY29tMSQwIgYJKoZIhvcNAQkBFhVzc2xhZG1pbkBsaWZl
    c2l6ZS5jb20wHhcNMjUwNzAzMTcyOTA0WhcNMjgwNzAyMTcyOTA0WjCBkzELMAkG
    A1UEBhMCVVMxCzAJBgNVBAgMAk5KMRAwDgYDVQQHDAdNYXl3b29kMSMwIQYDVQQK
    DBpFbmdob3VzZSBJbnRlcmFjdGl2ZSwgSW5jLjEaMBgGA1UEAwwRbGlmZXNpemVj
    bG91ZC5jb20xJDAiBgkqhkiG9w0BCQEWFXNzbGFkbWluQGxpZmVzaXplLmNvbTCC
    ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM3qv+pY694zKkKlEGSwYRWQ
    sB4NwLTyVDTLEHezeESYBTojtkKvolSxLWV0ddFHtkmEqTXjws5rSnn/eRvIPmni
    ukbTcsRU82Ljc/xIDpRy3s4S7e2j9pWNCWQvJfD1/ZtfkGF2oZXt+2vyfU70YxkB
    TCN3st+sS8as4zxH8gfrT8vVIykLLHbIgni9DzSBKic9he9zsCeacWMYuRhI7MF8
    ROnHMaSCv2Oqi0ANGMXqgR6vEGEpyNBUciNC9bUO3iMRBPWd07Mu3QrD8zOtvGSi
    RDYmEa4ZRZfWj848OtDmd+Vg32uEmA5KJOwHV7hP2Wh5lNSMM+LfLZ1VYNlczy0C
    AwEAAaNTMFEwHQYDVR0OBBYEFJ7nUaqLzD/Emn9AyVOIeVj+GrBfMB8GA1UdIwQY
    MBaAFJ7nUaqLzD/Emn9AyVOIeVj+GrBfMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
    hvcNAQELBQADggEBABvTc7M07o78ZUior74AT7teAsl/z45gx2nmjn6njZZueS1V
    VyYKJvM9Pjq/lCVyMTHMmprHAWCGEkLBxdrUQzMjc3QWTjtMbb+fr8gOmHxb+F4g
    C1j8tX5j3zUuK3YiD0/RAlTCTFjcZJny6A1w/CN2IGCiDARgWOLa/V51NMzlZPdj
    WDPjOotoHsKg7281OR91GacJMHdDrvl2ZoUTdBPfZOS8uIYrqGHwNFE/gbTy5yPp
    LrX3ztsLzZkJV3IWtezB4i13R6lGIE+Ay/7f1LzSOtlvI2eoJb26MTETYEhJOAOM
    ECyvcjwVgdSvetqREqbRuUGYxKtH8wSYANck7JQ=
    -----END CERTIFICATE-----

  11. In AD FS > Configure Certificate, use the Browse button to locate the certificate and upload it, then click Next.
  12. In Configure URL, select Enable support for the SAML 2.0 WebSSO protocol and enter this URL:https://login.lifesizecloud.com/ls/?acs
  13. In Configure Identifiers, enter this URL in Relying party trust identifier, making sure to include the closing slash /:https://login.lifesizecloud.com/ls/metadata/
  14. Click Add to move the identifier in the display list, then click Next.
  15. In Choose Issuance Authorization Rules, select Permit all users to access this relying party, then click Next.
  16. In Ready to Add Trust, review the settings then click Next to add the relying party trust to the AD FS configuration database.
You have created and defined a relying party. Next, create a claim rule determining how this relying party communicates with Active Directory.

Add a Claim Rule

  1. If the Edit Claims Rules window is not open, right-click on the relying party you created (Trust Relationships > Relying Party Trusts) and select Edit Claim Rules.
  2. Select the Issuance Transform Rules tab, then click Add Rule.
  3. In Select Rule Template, choose Send LDAP Attributes as Claims from the claim rule template dropdown menu, then click Next.
  4. In Configure Rule, name the claim rule, using a name that describes its purpose, for example Get Email attributes from AD.)
  5. Select Active Directory in the attribute store dropdown menu.
  6. Map your local LDAP Attributes to the matching Outgoing Claim Types values. Attribute names or statements (Given NameSurnameEmail Address) must match those in Lifesize Cloud.
  7. Click Finish.
  8. In Edit Claim Rules, select the Issuance Transform Rules tab, then click  Add Rule.
  9. In Select Rule Template, choose Send Claims Using a Custom Rule, then click Next.
  10. Assign a name, then enter this definition in the Custom rule field:c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”]=> issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”,
    Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType,
    Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format”]= “urn:oasis:names:tc:SAML:2.0:nameid-format:transient”, Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier”]= “https://login.lifesizecloud.com/ls/metadata/”);
  11. Click Finish, then click OK or Apply to save the rule.
  12. In the main AD FS window, select Relying Party Trusts from the left navigation.
  13. Right-click the Relying Party Trust you just added and select Properties.
  14. Select the Signature tab, then click Add...
  15. Browse to the lifesize.crt certificate file you saved earlier, and upload it to AD FS.
  16. Select the Advanced tab, and set Secure hash algorithm to SHA-1.
  17. Click OK when complete.

Configure, Test, and Enable SSO in the Lifesize app

Setting up AD FS on your Windows server automatically creates an XML-based metadata file at:

https://Your_Domain_Name/FederationMetadata/2007-06/FederationMetadata.xml

This metadata is exchanged between AD FS and the Lifesize app when a user is authenticated, forming the basis for a relying trust.

First, locate the FederationMetadata.xml file on your Windows server. Open it with any standard text editor.

  1. Sign in to the Lifesize admin console.
  2. Click on your profile name and choose Advanced Settings.
  3. Go to SSO Integration > SSO Configuration and complete these fields using the contents of your AD FS metadata file:
    • Identity Provider Issuer: Copy the <entityID> attribute from your metadata file and paste the URL in this field.
      For example, if your <entityID> attribute looks like this:<EntityDescriptor
      xmlns=”urn:oasis:names:tc:SAML:2.0:metadata”
      entityID=”http://your_domain/adfs/services/
      trust” ID=”_ad6616ef-6c0d-4866-b8ed-4d2c24e98e91″>Your entry for this field is:http://your_domain/adfs/services/trust
    • Login URL: Copy the <SingleSignOnService Location> attribute from your metadata file and paste the URL in this field.
      For example, if your <SingleSignOnService Location> attribute looks like this:<SingleSignOnService Location=”https://your_domain/adfs/ls/”
      Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”/>Your entry for this field is:https://your_domain/adfs/ls
    • Certificate: Copy the X.509 security certificate from the <Signature> definition of your metadata file, and then paste it in this field.
    NOTE: Do not use the certificate contained in the <KeyDescriptor> definition.
  4. In SAML Attribute Mapping, enter the URI values from your metadata file for the following mapping attributes:
    • First Name: If your metadata file contains a claim type describing first name like this:<auth:ClaimType xmlns:auth=”http://docs.oasisopen.org/wsfed/authorization/200706″
      Optional=”true” Uri=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname”>
      <auth:DisplayName>Given Name</auth:DisplayName> <auth:Description>The given name of the user</auth:Description></auth:ClaimType>Your entry in the First Name field is:http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
    • Last Name: Follow the same method for the surname attribute. In this example, your entry is:http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
    • Email: Follow the same method for the email address attribute. In this example, your entry is:http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  5. Click Test to validate your settings with the AD FS identity provider server.
  6. Once testing is successful, select Enable SSO, then click Update.
  7. Click Save.