Using AD FS as Your Identity Provider
AD FS (Active Directory Federation Services) is a service that allows federation partners to share identities. To integrate with AD FS, do the following:
- In AD FS, retrieve IdP (identity provider) metadata
- In the Admin Console, add a SAML application
- In AD FS, create a relying party trust
Before You Begin
- Use the Microsoft Server Manager to install the AD FS role service. For instructions, go to the Microsoft website, Install the AD FS Role Service.
- Important: Because AD FS only accepts a relying party trust that has an HTTPS URL in the metadata, your Web Console must use HTTPS.
Retrieving the IdP Metadata
- To open the AD FS Management console, from the Microsoft Server Manager, in the upper right, expand Tools, and then click AD FS Management.
- In the left navigation pane, expand AD FS > Service, and then click Endpoints.
- In the right pane, under Endpoints > Metadata, in the Federation Metadata row, copy the URL path.
For example, copy FederationMetadata/2007-06/FederationMetadata.xml
- Add the host name of the AD FS computer to the URL path you copied as follows:
- To retrieve the IdP (identity provider) metadata, in a browser, paste the complete URL.
- Save the IdP metadata as an XML file.
- Leave the AD FS Management console open.
Creating a SAML app in the Admin Console
- Open the Admin Console.
- From the navigation pane, go to Security > Identity servers, and then create the SAML app using the IdP metadata file that you saved.
For information about adding a SAML application in the Admin Console, see Adding Identity Servers.
- After the SP (service provider) metadata is generated, place the SP metadata on the AD FS machine.
Creating a Relying Party Trust
- From the AD FS Management console, in the left navigation pane, expand AD FS > Trust Relationships.
- Right-click Relying Party Trusts, and then click Add Relying Party Trust.
The Welcome page of the Add Relying Party Trust Wizard window appears.
- Click Start.
- On the Select Data Source page, click Import data about the relying party from a file.
- In the Federation metadata file location box, browse to the location of the SP metadata that you placed on the AD FS machine.
- Click Next.
- Continue to go through the wizard, referring to Microsoft documentation to configure additional features such as multi-factor authentication and issuance authorization rules.
- After you complete the wizard, click Close.
The Edit Claim Rules dialog box appears.
- On the Issuance Transform Rules tab, click Add Rule.
The Select Rule Template page of the Add Transform Claim Rule Wizard window appears.
- From the Claim rule template list, click Send LDAP Attributes as Claims.
- Click Next.
The Configure Rule page appears.
- In the Claim rule name box, enter a name for the rule.
- From the Attribute store list, click Active Directory.
- In the Mapping of LDAP attributes to outgoing claim types table, add the LDAP attribute and the outgoing claim type:
- From the LDAP Attribute list, select either Email Addresses or User-Principal-Name.
- From the Outgoing Claim Type list, select Name ID.
- Click Finish, and then click OK.
Last modified: 5/8/2018 8:26:23 PM