Hi,
This post is a continuation of the previous post about ADFS, in this post the following topics will be covered:
- Configure ADFS for a Relying Party
- Configure a claim rule
- Export the Token-Signing Certificate
- Test ADFS Connectivity
Let’s begin!
- Configure ADFS for a Relying Party: This step adds a Relying Party Trust from the ADFS server for the Sharepoint web application, using the WS-Federation passive protocol.
- Open the AD FS Management Console
- Expand the Trust Relationships node
- Click on the Relying Party Trust node
- Click on the Add Relying Party Trust link from the right pane to start the Add Relying Party Trust wizard.
- Click Start on the Welcome screen
- Select the Enter data about the relying party manually radio button and click next
- Enter a Display name, something that describes the SharePoint web application is recommended.
- Select the AD FS 2.0 profile
- On the next screen click Next, it is not necessary to select a certificate in this step.
- Select the Enable support for the WS-Federation Passive protocol and enter the URL in the format https://<you_app>/_trust/
- Configure the Relying party trust identifiers with these values:
- https://<your_webApp>/
- urn:sharepoint:portal (this value is descriptive, you can use any value but remember this value is the one you will use in the creation of the claims authentication provider in SharePoint).
- Select the Permit all users to access this relying party option and click next.
- Select Next in the Ready to Add Trust screen
- Leave the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and click Close
- Configure a claim rule
- Open the AD FS Management Console
- Expand the Trust Relationships node
- Click on the Relying Party Trust node
- Click on the Edit Claim Rules link from the right pane to start the Add Relying Party Trust wizard.
- Click Add Rule
- Select Send LDAP Attributes as Claims and click Next
- Enter a Claim rule name, the Attribute Store and configure the attribute mapping like the following screen
- Click Finish and the Relying Party will be configured for using with SharePoint.
- Export the Token-Signing Certificate
The final step you have to complete from the ADFS Server is to export the Token-Signing Certificate. This certificate will be used to create a the SPTrustedIdentityTokenIssuer in SharePoint.
- Open IIS 7 manager on the Federation Server.
- Select the servername in the console and double-click the certificates feature. You should see the certificates you configured earlier for ADFS.
- Double-click the Token-Signing certificate and select the details tab.
- Select copy to file and use these options in the following wizard:
- No do not export the private key
- DER encoded binary X.509 (.CER)
- save the file as c:TokenSign.cer
- Test ADFS Connectivity
Finally, it is a good practice to verify that all your configuration is working. You can do it so in two steps:
- Access the WS-Metadata Exchange Endpoint
- https://adfslogon.demos.local/adfs/services/trust/mex
- Access the Federation Metadata Endpoint
- In both URLs you should see an XML page:
- https://adfslogon.demos.local/FederationMetadata/2007-06/federationmetadata.XML
Albandrod's Memory 