This document assumes that the ADFS 3.0 software component is properly configured in the Active Directory domain.
Exchange XML Metadata Files
- Locate your ADFS XML metadata. This information can be found at this address: https://[SERVER_FQDN]/FederationMetadata/2007-06/FederationMetadata.xml
- Download the XML file, or copy and paste the text into a text document, and send this to MIE.
- MIE will send back an XML metadata file. Save this file on the ADFS server and be sure the file extension is XML.
Add Relying Party Trust
-
On the ADFS server, open the Server Manager.
-
Click Tools, and select AD FS Management
-
In the AD FS Management MMC, expand AD FS and Trust Relationships.
-
Click on Add Relying Party Trust in the right pane (or from the context [right-click] menu on the folder tree).
-
Click Start.
-
Select Import data about the relying party from a file.
-
Browse to and select the XML document that was provided by MIE.
-
Click Next.
-
Give the Relying Party a proper name and description, and then click Next.
-
Leave this set to I do not want to configure multi-factor authentication settings…
-
Click Next.
-
Leave this set to Permit all users to access this relying party, and then click Next.
-
Click Next - Do not change any settings on this page.
Edit Claim Rules
-
In the AD FS MMC, expand the Trust Relationships and click on Relying Parties Trusts.
-
Right-click the new Relying Party that was just created, and select Edit Claim Rules…
-
Click Add Rule…
-
Select Send LDAP Attributes as Claims from the dropdown list.
-
Click Next.
-
In the Claim rule name field enter Get LDAP Attributes.
-
For the Attribute store field, select Active Directory from the drop down list.
-
In the mapping table, select E-Mail-Addresses from the dropdown list under LDAP Attribute (Select type…).
-
Select E-Mail Address from the dropdown list under the Outgoing Claim Type…
-
Click Finish.
-
Click Add Rule…, again.
-
Select Transform an Incoming Claim from the Claim rule template dropdown list.
-
Click Next.
-
Name the Claim rule Email to Name ID.
-
Select E-Mail Address from the Incoming claim type dropdown list.
-
Select Name ID from the Outgoing claim type dropdown list.
-
Select Email from the Outgoing name ID format dropdown list.
-
Click Finish.
-
Click OK.
Set Relying Partying SAML Logout Endpoint & Secure Hash Algorithm
-
In the AD FS MMC, expand the Trust Relationships and click on Relying Parties Trusts.
-
Double-click the new Relying Party Trust (or right-click and select Properties).
-
Click the Endpoints tab.
-
Click Add SAML…
-
Select SAML Logout from the Endpoint type dropdown menu.
-
Make sure that POST is selected from the Binding drop down menu.
-
Enter the ADFS server sign-out URL in the Trusted URL field. The default URL is: https://[SERVER_FQDN]/adfs/ls/?wa=wsignout1.0
-
Click OK to close the Add an Endpoint window.
Configure AD Access Groups (Optional)
-
In the AD FS MMC, expand the Trust Relationships and click on Relying Parties Trusts.
-
Right-click the new Relying Party just created, and select Edit Claim Rules…
-
Click the Issuance Authorization Rule tab.
-
Click Add Rule…
-
Select Permit or Deny Users Based on Incoming Claim from the dropdown list.
-
Enter a claim rule name.
-
Select the appropriate criteria from the Incoming claim type drop down list. In this example, we are basing it on AD group.
Restart the ADFS Service
-
On your ADFS server, open the Server Manager.
-
Click Tools, and select Services.
-
Right-click the Active Directory Federation Services service.
-
Click Restart.
Customize ADFS User Sign-in Page (Optional)
Options for changing the way your user sign-in page looks and behaves can be found here: