PDF(1.3 MB) View with Adobe Reader on a variety of devices
ePub(1.4 MB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(708.4 KB) View on Kindle device or Kindle app on multiple devices
Updated:July 9, 2026
Document ID:226145
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to configure Active Directory Federation Services as SAML identity provider for external authentication on Cisco ESA and SMA.
Prerequisites
This document provides a view of the third-party application that engineers cannot otherwise see.
Configuration steps for Security Assertion Markup Language (SAML) external authentication with Active Directory Federation Services (AD FS) 2012 and 2016 for Cisco Email Security Appliance (ESA) and Security Management Appliance (SMA) latest versions.
Basic lab-based steps that do not include specialized deployment-specific configurations.
A working example from a lab environment that can differ from a production deployment.
Caution: Complete the service provider (SP) configuration before this procedure. See .
Requirements
Microsoft Active Directory Federation Services (AD FS) 2012 or 2016
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Steps for ADFS IDP Configuration for SAML
Configure the Relying Party Trust
Use one of two options to create the relying party trust in AD FS.
Method A: Create the Relying Party Trust by Importing SP Metadata
Open the ADFSManagement console from AdministrativeTools.
In the AD FS Management console, expand Trusted Relationships, right-click Relying Party Trusts, and then select Add Relying Party Trust.