Documentation Center

Establishing a trust: The ADFS example

The configuration steps when using ADFS as the secure token service.

Procedure

  1. Log on to the ADFS server using administrative credentials
  2. From the Server Manager, click Tools > AD FS Management to start the ADFS Management Console.
  3. In the tree follow AD FS > Service > Claim Descriptions
    You see a list of predefined claim descriptions. A claim description is a combination of name and claim type. Claim descriptions simplify the configuration of claims transformation rules.
  4. Check if a claim description for Display Name with a claim type having the description http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname exists. If it doesn't, then:
    1. Click Add Claim Description...
    2. Fill in Display Name for the Display Name.
    3. Fill in http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname for the Claim Identifier.
    4. Check the checkbox Publish the claim description in the federation metadata as a claim type that this Federation Service can send.
    A claim description for Display Name with claim type having the description http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname exists.
  5. Check if a claim description for Department with claim type having the description http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department exists. If it doesn't then:
    1. Click Add Claim Description...
    2. Fill in Department for the Display Name.
    3. Fill in http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department for the Claim Identifier.
    4. Check the checkbox Publish the claim description in the federation metadata as a claim type that this Federation Service can send.
    A claim description for Department with claim type having the description http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department exists.
  6. In the tree, follow Trust Relationships > Relying Party Trusts.
  7. Click Add Relying Party Trust.

    The Add Relying Party Trust Wizard starts.

  8. Click Start.
  9. On the Select Data Source page, select Enter data about the relying party manually. Click Next.
  10. On the Specify Display Name page specify a name under Display name (for example, Collaborative Review ), and then specify any additional notes to describe the application (for example, it might be helpful to specify the server name and IP address). Click Next.
  11. On the Choose Profile page, select AD FS profile. Click Next.
  12. On the Configure Certificate page just click Next.
  13. On the Configure URL page:
    1. Select Enable support for the WS-Federation Passive protocol.
    2. Under Relying party WS-Federation Passive protocol URL, specify the URL to the web application for the web application for Collaborative Review .

      For example:

      https://example.com/KnowledgeCenterAppName/

    3. Click Next.
  14. On the Configure Identifiers page, just click Next.
    The URL filled in the previous step is already populated in the list.
  15. On the Configure Multi-Factor authentication type now? page, just click Next
    The expected default value is I do not want to configure multi-factor authentication settings for this relying party trust at this time.
  16. On the Choose Issuance Authorization Rules page, just click Next.
    The expected default value is Permit all users to access this relying party.
  17. On the Ready to Add Trust page, confirm your selections by exploring the tabs, and then click Next to add the relying party trust to the ADFS configuration database.
  18. On the Finish page, select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and then click Close.

    A dialog box for editing the claim rules for the Collaborative Review product appears.

  19. On the Issuance Transform Rules tab, click Add Rule.

    The Add Transform Claim Rule Wizard opens.

  20. On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as Claims from the list.
  21. On the Configure Claim Rule page, specify these settings:
    Claim rule name
    Specify a descriptive name (for example, Mappings for Output).
    Attribute store
    Select Active Directory from the list.
    Mapping of LDAP attributes to outgoing claim types
    Specify these mappings:
    LDAP attributeOutgoing claim type
    DepartmentDepartment
    E-Mail-AddressesE-Mail Address
    Given-NameGiven Name
    SurnameSurname
    TitleRole
    User-Principal-NameName ID
    Display-NameDisplay Name
  22. Click Finish and Apply to apply the claim rule changes, and then click OK to exit the wizard.

Results

A relying party trust was created on ADFS for Collaborative Review . With this trust, a user can authenticate on ADFS for Collaborative Review and then ADFS will issue a token populated with a claim set generated by the claims transformation rules.