Hi!
I am working on setting up test environment of SDL KC CM 2016 SP3 using AD FS 3.0 as the identity provider. However, I am facing issues configuring the CMS part. The setup is based on a Windows 2012 R2 Active Directory test domain and uses MS SQL 2014 database.
I've referred to the official documentation, the release notes document and the ISHDeploy.12.0 documentation as neither of them seems to give information sufficient for the user to create a setup on his own.
 I've listed the  inputparameters for reference. The error that I got was a .NET application error that no profile was found. The redirection to the ADFS address works and after I insert the proper credentials (tested with several domain accounts), the error is displayed. The ADFS setup contains one server with basic configuration - dedicated especially for this testbed. The certificates are also configured correctly.

<param name="issuerwstrustbindingtype">
      <currentvalue>WindowsMixed</currentvalue>
      <defaultvalue/>
      <description>Specify the binding type that is required by the end point of the WS-Trust issuer. Two valid binding types are UserNameMixed and WindowsMixed. When specifying UserNameMixed the matching input parameters issueractorusername and issueractorpassword must be set. When specifying WindowsMixed the matching input parameters issueractorusername and issueractorpassword must be empty as the principal of the service user (osuser) will be used as credentials.</description>
      <validate>wstrustbindingtype</validate>
   </param>
   <param name="issueractorusername">
      <currentvalue>cms\svc.techpubscms</currentvalue>
      <defaultvalue/>
      <description>When an application must delegate the incoming claim set to another application; the acting application must have a valid username to request a token delegation.</description>
      <validate/>
   </param>
   <param name="issueractorpassword">
      <currentvalue></currentvalue>
      <defaultvalue/>
      <description>When an application must delegate the incoming claim set to another application; the acting application must have a valid password to request a token delegation.</description>
      <validate>askpasswordtwiceifempty</validate>
   </param>
   <param name="issuerwstrustendpointurl">
      <currentvalue>adfs.cms.cso/.../currentvalue>
      <defaultvalue/>
      <description>The WS-Trust endpoint for the Security Token Service that provides the functionality to issue tokens as specified by the issuerwstrustbindingtype. When using the built-in STS, use the value of BASEURL/INFOSHARESTSWEBAPPNAME/issue/wstrust/mixed/username when issuerwstrustbindingtype is UserNameMixed resulting in for example example.com/.../username or when issuerwstrustbindingtype is WindowsMixed use  the value of BASEURL/INFOSHARESTSWEBAPPNAME/issue/wstrust/mixed/windows.</description>
      <validate/>
   </param>
   <param name="issuerwstrustmexurl">
      <currentvalue>adfs.cms.cso/.../currentvalue>
      <defaultvalue/>
      <description>The WS-Trust metadata address for the Security Token Service. Optionally when using the built-in STS you should use the value of BASEURL/INFOSHARESTSWEBAPPNAME/issue/wstrust/mex resulting in for example example.com/.../description>
      <validate/>
   </param>
   <param name="issuerwsfederationendpointurl">
      <currentvalue>adfs.cms.cso/.../currentvalue>
      <defaultvalue/>
      <description>The WS-Federation endpoint for the Security Token Service that provides the functionality to issue tokens for browsers (Passive Profile). Optionally when using the built-in STS you should use the value of BASEURL/INFOSHARESTSWEBAPPNAME/issue/wsfed resulting in for example example.com/.../description>
      <validate/>
   </param>
   <param name="serviceusername">
      <currentvalue></currentvalue>
      <defaultvalue/>
      <description>Any service requesting automated access to the system will use this account.</description>
      <validate/>
   </param>
   <param name="servicepassword">
      <currentvalue></currentvalue>
      <defaultvalue/>
      <description>Any service requesting automated access to the system will use this account.</description>
      <validate>askpasswordtwiceifempty</validate>
   </param>

I've also tried supplying the serviceuser name (same as osuser), supplying only the serviceuser name and removing the actor name (as reference in the ISHDeploy docs). The results are the same.

I'll appreciate if you could let me know what I am missing in the configuration.

Thanks in advance!
Best Regards,
Alexandra