Establishing a trust: The ADFS example
The configuration steps when using ADFS as the secure token service.
Procedure
- Log on to the ADFS server using administrative credentials
- From the Server Manager, click Tools > AD FS Management to start the ADFS Management Console.
- In the tree follow AD FS > Service > Claim Descriptions
You see a list of predefined claim descriptions. A claim description is a combination of
nameandclaim type. Claim descriptions simplify the configuration of claims transformation rules. - Check if a claim description for
Display Namewith aclaim typehaving the description http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname exists. If it doesn't, then:- Click Add Claim Description...
- Fill in Display Name for the Display Name.
- Fill in http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname for the Claim Identifier.
- Check the checkbox Publish the claim description in the federation metadata as a claim type that this Federation Service can send.
A claim description forDisplay Namewithclaim typehaving the description http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname exists. - Check if a claim description for
Departmentwithclaim typehaving the description http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department exists. If it doesn't then:- Click Add Claim Description...
- Fill in Department for the Display Name.
- Fill in http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department for the Claim Identifier.
- Check the checkbox Publish the claim description in the federation metadata as a claim type that this Federation Service can send.
A claim description forDepartmentwithclaim typehaving the description http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department exists. - In the tree, follow Trust Relationships > Relying Party Trusts.
- Click Add Relying Party Trust.
The Add Relying Party Trust Wizard starts.
- Click Start.
- On the Select Data Source page, select Enter data about the relying party manually. Click Next.
- On the Specify Display Name page specify a name under Display name (for example,
Collaborative Review), and then specify any additional notes to describe the application (for example, it might be helpful to specify the server name and IP address). Click Next. - On the Choose Profile page, select AD FS profile. Click Next.
- On the Configure Certificate page just click Next.
- On the Configure URL page:
- Select Enable support for the WS-Federation Passive protocol.
- Under Relying party WS-Federation Passive protocol URL, specify the URL to the web application for the web application for Collaborative Review .
For example:
https://example.com/KnowledgeCenterAppName/
Note: The trailing slash (/) is important. - Click Next.
- On the Configure Identifiers page, just click Next.
The URL filled in the previous step is already populated in the list.
- On the Configure Multi-Factor authentication type now? page, just click Next
The expected default value is I do not want to configure multi-factor authentication settings for this relying party trust at this time.
- On the Choose Issuance Authorization Rules page, just click Next.
The expected default value is Permit all users to access this relying party.
- On the Ready to Add Trust page, confirm your selections by exploring the tabs, and then click Next to add the relying party trust to the ADFS configuration database.
- On the Finish page, select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and then click Close.
A dialog box for editing the claim rules for the Collaborative Review product appears.
- On the Issuance Transform Rules tab, click Add Rule.
The Add Transform Claim Rule Wizard opens.
- On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as Claims from the list.
Note: Unless specified otherwise, clicking Next is an assumed step to proceed for all subsequent steps.
- On the Configure Claim Rule page, specify these settings:
- Claim rule name
- Specify a descriptive name (for example, Mappings for Output).
- Attribute store
- Select Active Directory from the list.
- Mapping of LDAP attributes to outgoing claim types
-
Specify these mappings:
LDAP attribute Outgoing claim type Department Department E-Mail-Addresses E-Mail Address Given-Name Given Name Surname Surname Title Role User-Principal-Name Name ID Display-Name Display Name
- Click Finish and Apply to apply the claim rule changes, and then click OK to exit the wizard.