ADFS 2.0 Configuration ADFS ClaimProvider

8/13/2019 ADFS 2.0 Configuration ADFS ClaimProvider

1/15

About This GuideThis guide provides step-by-step instructions for configuring a basic identity federation deployment

between Microsoft Active Directory Federation Services 2! "AD FS 2!# and $ovell Access Manager

"$AM# by using the Security Assertion Mar%up &anguage "SAM 2! "http'((gomicrosoftcom(fwlin%()&in%*d+,./# protocol0 specifically its 1eb rowser SS3 4rofile and 5TT4 43ST binding

Terminology Used in This Guide

Throughout this document0 there are numerous references to federation concepts that are called by

different names in AD FS 2! and SAM& documentation The following table assists in drawing parallels

between the two concepts

AD FS 2.0 Name SAML Name Cone!t

Security To%en Assertion A pac%age of security information0 describing a

user0 created and consumed during a federated

access re6uest

7laims 4rovider *dentity 4rovider

"*D4#

4artner in a federation that creates security

to%ens for users

8elying 4arty Service 4rovider

"S4#

4artner in a federation that consumes security

to%ens for providing access to applications

7laims Assertion

attributes

Data about users that is sent inside security

to%ens

*n this deployment0 you have the option to configure one or both of the following two scenarios'

AD FS 2! as 7laims 4rovider and $AM as 8elying 4arty

$AM as 7laims or *dentity 4rovider and ADFS 2! as 8elying 4arty or Service 4rovider

"rere#uisites and $e#uirements, Two servers0 one to host AD FS 2! and the other to host $AM

2 AD FS 2! is deployed' The test deployment that was created in theAD FS 2! Federation with a

1*F Application Step-by-Step 9uide"http'((gomicrosoftcom(fwlin%()&in%*d+,.:# is used as

starting point for this lab That lab uses a single 1indows Server 2!!; 82 instance

"fswebcontosocom# to host both the AD FS 2! federation server and a 1indows *dentityFoundation "1*F# sample application *t presumes the availability of a


2/15

Note%?ou can download the evaluation version of $AM from $ovell@s download portal

"http'((downloadnovellcom#

Linu& 'n(ironment

$AM nvironment' $AM ., S4B or .2' S&S ,, S4, /B bitNote%$AM supports both 1indows and &inu> *n this guide0 we will discuss the identity federation

deployment in the &inu> environment

'nsure )" Conneti(ity

nsure that $AM "name>amplecom# and AD FS 2! "fswebcontosocom# systems have *4 connectivity

between them The 7ontosocom domain controller0 if running on a separate computer0 does not re6uire

*4 connectivity to the $AM system

*f $AM firewall is set up0 open the ports re6uired for the *dentity Server to communicate with

Administration 7onsole For more information about these ports0 seeSetting Cp Firewallsin $ovellAccess Manager ., S4B Setup 9uide

For 5TT4S communication0 you can use iptables to configure this for T74 ;BB. or BB. See Translating

the *dentity Server 7onfiguration 4ortin $ovell Access Manager ., S4B *dentity Server 9uide

For bac%-channel communication with cluster members0 you need to open two consecutive ports for the

cluster0 for e>ample :;!, and :;!2 The initial port ":;!,# is configurable See 7onfiguring a 7luster with

Multiple *dentity Serversin $ovell Access Manager ., S4B *dentity Server 9uide

Con*igure Name $esolution

The hosts file on the AD FS 2! computer "fswebcontosocom# is used to configure name resolution of

the partner federation servers and sample applications

+eri*y Clo, Synhroni-ationFederation events have a short time to live "TT To avoid errors based on time-outs0 ensure that both

computers have their cloc%s synchronied

Note%For information about how to synchronie a 1indows Server 2!!; 82 domain controller to

an *nternet time server0 see article ;,/!B2in the Microsoft Enowledge ase

"http'((gomicrosoftcom(fwlin%()&in%*D+/!B!2#

3n S&S ,,0 use the command sntp -4 no -p poolntporg to synchronie time with the *nternettime server
http://www.novell.com/documentation/novellaccessmanager31/basicconfig/data/b651hwh.htmlhttp://www.novell.com/documentation/novellaccessmanager31/basicconfig/data/b651hwh.htmlhttp://www.novell.com/documentation/novellaccessmanager31/basicconfig/data/b651hwh.htmlhttp://www.novell.com/documentation/novellaccessmanager31/basicconfig/?page=/documentation/novellaccessmanager31/basicconfig/data/bookinfo.htmlhttp://www.novell.com/documentation/novellaccessmanager31/basicconfig/?page=/documentation/novellaccessmanager31/basicconfig/data/bookinfo.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/data/b6fyxpk.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/data/b6fyxpk.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/data/b6fyxpk.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/?page=/documentation/novellaccessmanager31/identityserverhelp/data/bookinfo.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/?page=/documentation/novellaccessmanager31/identityserverhelp/data/bookinfo.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/data/bfcvfuj.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/data/bfcvfuj.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/?page=/documentation/novellaccessmanager31/identityserverhelp/data/bookinfo.htmlhttp://go.microsoft.com/fwlink/?LinkID=60402http://go.microsoft.com/fwlink/?LinkID=60402http://www.novell.com/documentation/novellaccessmanager31/basicconfig/data/b651hwh.htmlhttp://www.novell.com/documentation/novellaccessmanager31/basicconfig/?page=/documentation/novellaccessmanager31/basicconfig/data/bookinfo.htmlhttp://www.novell.com/documentation/novellaccessmanager31/basicconfig/?page=/documentation/novellaccessmanager31/basicconfig/data/bookinfo.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/data/b6fyxpk.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/data/b6fyxpk.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/?page=/documentation/novellaccessmanager31/identityserverhelp/data/bookinfo.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/data/bfcvfuj.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/data/bfcvfuj.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/?page=/documentation/novellaccessmanager31/identityserverhelp/data/bookinfo.htmlhttp://go.microsoft.com/fwlink/?LinkID=60402http://go.microsoft.com/fwlink/?LinkID=60402


3/15

Con*iguring NAM as Claims or )dentity "ro(iderand AD FS 2.0 as $elying "arty or Ser(ie

"ro(iderThis section e>plains how to configure a setup in which a user "using $AM# gets federated access to the

1*F sample application through AD FS 2! This setup uses the SAM& 2! 43ST profile

This section includes'

7onfiguring $AM

7onfiguring AD FS 2!

$ote'

Con*iguring NAMThis section includes'

Adding a new service provider connection using metadata

>port *dentity 4rovider metadata to a file

Note%To deploy this identity federation for $AM ., S4. and above0 create a new contract with uri

ml

2 Save the AD FS metadata file

. 3pen the saved AD FS metadata file in $otepad0 1ord4ad0 or any >ml editor#

B 8emove the 8oleDescriptorG tags from metadata For e>ample0 remove the following tabs'

8oleDescriptor >si'type+=fed'ApplicationServiceType=

protocolSupportnumeration+http'(( HHG HHH(8oleDescriptorG

8oleDescriptor >si'typ+=fed'SecurityTo%enServiceType=

protocolSupportnumeration+http'(( HHHG (8oleDescriptorG

I Save the changes

To Add a New Service Provider Connection Usin Metadata

, *n $AM Administration 7onsole0 select Devices G Identity Server GEdit G SAML 2.0

2 7lic% NewGAdd Service Provider


4/15

. Specify a name by which you want to refer to the provider in the Namefield

B Select Metadata Te>t from the Sourelist

I 4aste the copied AD FS metadata "trimmed one# in the Te&tfield

/ 7lic% Next > Finish.

: Cpdate*dentity Server.

To Add AD FS Server Tr!sted Certificate A!t"orit#

, Download 7ertificate Authority "7A# from the AD FS server

2 *n the $AM Administration 7onsole0 select SecurityG Certiic!tes > "rusted #oots

. 7lic% I$%ort

B Specify a name for the certificate and browse for ADFS 7A

I 7lic% &'.

/ 7lic% U!loaded AD FS CA

: 7lic% Add to "rusted Store and select on*ig store

; Cpdate *dentity Server

To Create Attri$!te Set in NAM

, *n the $AM Administration 7onsole0 select De(ies / )dentity Ser(ers / Shared SettingsG

Attribute Sets /clic% Ne

2 4rovide the attribute set name as adfs-attributes

. 7lic% Ne&twith the default selections

B *n the Create Attribute Setsection0 clic% Ne

I Select ldapattribute mail from the Loal attribute list

/ Specify email in the $emote attributefield: Selecthttp'((schemas>mlsoaporg(ws(2!!I(!I(identity(claims(from the $emote names!aelist

; 7lic% 1

8epeat steps /-,! to add the cn attribute

,! 7lic% Ne

,, Select ldapattribute cn from the Loal attributelist

,2 Specify name in the $emote attributefield

,. Selecthttp'((schemas>mlsoaporg(ws(2!!I(!I(identity(claims(from the $emote names!aelist

,B 7lic% 1

,I Cpdate *dentity Server

To Confi!re a Service Provider in NAM

, Select ADFS service provider in the SAML 2.0tab

2 7lic% Authentiation $es!onse

. Select inding to "ST

B Specify the name identifier format default value0 select unspecified along with the defaults
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/http://schemas.xmlsoap.org/ws/2005/05/identity/claims/http://schemas.xmlsoap.org/ws/2005/05/identity/claims/http://schemas.xmlsoap.org/ws/2005/05/identity/claims/


5/15

I 7lic% Attributes

/ Select adfs-attributes from the Attribute setlist

: Select re6uired attributes to be send with authentication from right to left "for e>ample0 mail0 cn

attributes#

; 7lic% 1

Cpdate *dentity Server

'&!ort )dentity "ro(ider Metadata to a File

Access https'((*dentityserver *4 ( dns nameGG';BB.(nidp(saml2(metadata in a browser and save the

page as an >ml file For e>ample' namJmetadata>ml AD FS 2! will use this file to automate set up of

the $AM 7laims 4rovider instance

Con*iguring AD FS 2.0This section includes'

Adding a claims provider using metadata

diting claim rules for claims provider trust

diting claim rules for the 1*F Sample Application

7hanging AD FS 2! Signature Algorithm

Adding a Claims "ro(ider Using Metadata

Cse the metadata import capabilities of AD FS 2! to create the >amplecom claims provider The

metadata includes the public %ey that is used to validate security to%ens signed by $AM

To Add a %ein Part# Usin Metadata, *n AD FS 2!0 in the console tree0 right-clic% the C(!i$s Provider "rustsfolder0 and then clic%

Add C(!i$s Provider "rustto start the Add 7laims 4rovider Trust 1iard

2 7lic% St!rt

. 3n the Se(ect D!t! Sourcepage0 select *mport data about the claims provider from a file.

B *n the Federation metadata file location field0 clic% )rowse.

I $avigate to the location where you saved namJmetadata>ml earlier0 clic% &%en0 and then clic%

Next.

/ *n the S%eciy Dis%(!y N!$epage0 enter NAM '&am!le

: 7lic%Next > Ne&t /

Close

'diting Claim $ules *or a Claims "ro(ider Trust

The following claim rule describes how the data from $AM is used in the security to%en that is sent to the

1*F sample application


6/15

To 'dit C&aim %!&e for a C&aims Provider Tr!st

, 3pen the 'dit Claim $uleswindow 3r0 in the AD FS 2! center pane0 under Claims "ro(ider

Trusts0 right-clic% NAM '&am!le0 and then clic% 'dit Claim $ules

2 *n the Ae!tane Trans*orm $ulestab0 clic% Add $ule

. *n the Selet $ule Tem!late page0 select the 4ass Through or Filter an *ncoming 7laim optionB 7lic% Ne&t

I *n the Con*igure Claim $ulepage0 use the following values'

Name +alue

7laim rule name $ame *D 8ule

*ncoming claim type $ame *D

*ncoming name *D format Cnspecified

/ Select the 4ass through all claim values and clic% Finish

: 7lic%Add #u(e; *n the Se(ect #u(e "e$%(!tepage0 select the Pass Through or Filter an Incoming Claimoption

7lic% Next.

,! *n the Coni*ure C(!i$ #u(epage0 in C(!i$ ru(e n!$e0 use the following values

Name +alue

7laim rule name $ame 8ule

*ncoming claim type $ame

,, &eave the 4ass through all claim values option selected and clic% Finish

,2 To ac%nowledge the security warning0 clic%3es,. 7lic% 1

'diting Claim $ules *or the 4)F Sam!le A!!liation

At this point0 incoming claims have been received at AD FS 2!0 but rules that describe what to send to

the 1*F sample application have not yet been created dit the e>isting claim rules for the sample

application to ta%e into account the new $AM e>ternal claims provider

To 'dit t"e C&aim %!&es for t"e F Sam*&e A**&ication

, *n AD FS 2!0 clic% #e(yin* P!rty "rusts.

2 8ight-clic% +IF S!$%(e A%%and then clic% Edit C(!i$ #u(es.

. *n the Issu!nce "r!nsor$ #u(estab0 clic%Add #u(e.

B *n the Se(ect #u(e "e$%(!tepage0 clic%P!ss "hrou*h or Fi(ter !n Inco$in* C(!i$>Next

I *n the Con*igure Claim $ulepage0 enter the following values


7/15

Name +alue

7laim rule name 4ass $ame 8ule

*ncoming claim type $ame

/ &eave theP!ss throu*h !(( c(!i$ v!(uesoption selected0 and then clic% Finish.

: *n the Issu!nce "r!nsor$ #u(estab0 clic%Add #u(e.

; *n the Se(ect #u(e "e$%(!tepage0 clic%P!ss "hrou*h or Fi(ter !n Inco$in* C(!i$

7lic% Next.

,! *n the Coni*ure C(!i$ #u(epage0 enter the following values

Name +alue

7laim rule name 4ass $ame *D 8ule

*ncoming claim type $ame *D

*ncoming $ame *D

format

Cnspecified

,, &eave theP!ss throu*h !(( c(!i$ v!(uesoption selected0 and then clic% Finish.

,2 7lic% &'.

Note%*f you configured the optional Step /' 7hange Authoriation 8ules when you were testing the

original AD FS 2! with 1*F Step-by-Step 9uide deployment0 ensure that you add bac% the"ermit All

Usersissuance authoriation rules for the 1*F sample application before testing this scenario 3r0 as an

alternative0 add a new "ermit or Deny Users ased on an )noming Claimrule allowing incoming

$ame *D + KohnLe>amplecom to access the application

Changing AD FS 2.0 Signature Algorithmy default0 $AM uses the Secure 5ash Algorithm , "S5A-,# for signing operations y default0 AD FS 2!

e>pects partners to use S5A-2I/ 7omplete the following steps to set AD FS 2! to e>pect S5A-, for

interoperability with $AM

Note%The same procedure is recommended for AD FS 2! 8elying 4arty Trusts that use $AM *f the

$AM S4 signs authn8e6uests0 artifact resolution re6uests0 or logout re6uests0 AD FS 2! errors will occur

unless this signature algorithm setting is changed

To C"ane AD FS 2.0 Sinat!re A&orit"m

, *n AD FS 2!0 clic% Claims "ro(ider Trusts

2 8ight-clic% NAM '&am!leG "ro!erties. *n theAdv!ncedtab0 select S5A-, in the Seure 5ash Algorithmlist

B 7lic% &'.


8/15

Certi*iation Authority6)ssued Signing7'nry!tion Certi*iates

For security reasons0 production federation deployments re6uire the use of digitally signed security

to%ens0 and as an option allow encryption of security to%en contents Self-signed private %ey certificates0

which are generated from inside the AD FS 2! and $AM products0 are used for signing security to%ens

As an alternative0 organiations can use a private %ey certificate that is issued by a certificate authority

"7A# for signing and encryption The primary benefit of using certificates is that a 7A issues is the ability

to chec% for possible certificate revocation against the certificate revocation list "78 from the issuing

7A

oth in AD FS 2! and in $AM0 78& chec%ing is enabled by default for all partner connections0 if the

certificate being used by the partner includes a 78& Distribution 4oint "7D4# e>tension This has

implications in federation deployments between $AM and AD FS 2!'

*f a signing(encryption certificate provided by one side of a federation includes a 7D4 e>tension0 that

location must be accessible by the other side@s federation server 3therwise0 78& chec%ing fails0

resulting in a failed access attempt $ote that 7D4 e>tensions are added by default to certificates that

are issued by Active Directory 7ertificate Services "AD 7S# in 1indows Server 2!!; 82

*f the signing(encryption certificate does not include a 7D4 e>tension0 no 78& chec%ing is performedby AD FS 2! or $AM

To Disa$&e C%+ C"ec,in -*tion

*n &inu> *dentity 4rovider'

, Modify the (var(opt(novell(tomcatI(conf(tomcatIconf file and add ANAJ34TS+OPQANAJ34TSR

-Dcomnovellnidpserver37S478&+falseO "*n $AM ., S4. and ., S4B#

2 Modify the (var(opt(novell(tomcat:(conf(tomcat:conf file and add ANAJ34TS+OPQANAJ34TSR

-Dcomnovellnidpserver37S478&+falseO "*n $AM .2#

*n AD FS 2!'

, 7lic% Start G Administrati(e Tools G 4indos "oerShell Modules

2 nter the following command in the 4owerShell command prompt'

set-ADFSClaimsProviderTrust TargetName NAM Example

SigningCertii!ate"evo!ationC#e!$ None

Note%?ou can ma%e many configuration changes to AD FS 2! using the 1indows 4owerShell

command-line and scripting environment For more information0 see theAD FS 2! 1indows 4owerShell

Administrationsection of the AD FS 2! 3perations 9uide "http'((gomicrosoftcom(fwlin%()&in%*d+,B!!I#

and theAD FS 2! 7mdlets 8eference "http'((gomicrosoftcom(fwlin%()&in%*d+,::.;#
http://go.microsoft.com/fwlink/?LinkId=194005http://go.microsoft.com/fwlink/?LinkId=194005http://go.microsoft.com/fwlink/?LinkId=194005http://go.microsoft.com/fwlink/?LinkId=177389http://go.microsoft.com/fwlink/?LinkId=177389http://go.microsoft.com/fwlink/?LinkId=194005http://go.microsoft.com/fwlink/?LinkId=194005http://go.microsoft.com/fwlink/?LinkId=177389http://go.microsoft.com/fwlink/?LinkId=177389


9/15

Test NAM as Claims "ro(ider and AD FS 2.0 as$elying "arty

*n this scenario0 ohn from >amplecom accesses the 7ontoso 1*F sample application

Note%7lear all the coo%ies in *nternet >plorer on the AD FS 2! computer "fswebcontosocom#

To clear the coo%ies0 clic% Tools G )nternet !tions G Delete underrosing 5istory0 and then

select coo%ies for deletion

Accessin t"e F Sam*&e A**&ication

, 3n the AD FS 2! computer0 open a browser window0 and then navigate to

https'((fswebcontosocom(7laimsAware1ebApp1ithManagedSTS(defaultasp>

2 The first page prompts you to select your organiation from a list

Select $AM >ample0 and then clic% 7ontinue to sign in

Note%This page did not appear in the previous e>ample when you were redirected to AD FS 2!

This is because at that point there was only one *dentity 4rovider registered in AD FS 2! 1hen

only one *dentity 4rovider is available0 AD FS 2! forwards the re6uest to that *dentity 4rovider by

default

. The $AM login page appears nter the user name8ohn0typethe password test9and then clic%

Lo*in.


10/15

Con*iguring AD FS 2.0 as Claims or )dentity"ro(ider and NAM as $elying "arty or Ser(ie

"ro(iderThis section e>plains how to configure an application through AD FS 2! that gets federated access to an

application using $ovell Access Manager "$AM# The setup uses the SAM& 2! 43ST profile

Con*iguring NAMThis section discusses how to add a new *dentity 4rovider connection using metadata

Adding a Ne )dentity "ro(ider Connetion Using Metadata

AD FS metadata is used to add an identity provider using AD FS 2! in to $AM

To Get AD FS 2.0 Metadata

, Access AD FS server metadata C8& https'((ADFS hostname or *4(FederationMetadata(2!!:-

!/(FederationMetadata>ml

2 Save AD FS metadata data

. 3pen the AD FS metadata file in $otepad "or 1ord4ad or >ml editor#

B 8emove the 8oleDescriptorG tags from metadata

For e>ample0 remove the following tags'

8oleDescriptor >si'type+=fed'ApplicationServiceType= protocolSupportnumeration+http'(( HHG HHH(8oleDescriptorG

8oleDescriptor >si'type+=fed'SecurityTo%enServiceType= protocolSupportnumeration+http'(( HHHG (8oleDescriptorG

I Save the changes

To Add a New dentit# Provider Connection Usin Metadata

, *n $AM Administrative 7onsole0 select Devices G Identity Server.

2 7lic% Edit.

. Select SAML 2.0

B 7lic% NewG Identity 4rovider

I nter the name as ADFS in the Namefield

/ Select Metadata Te>t from the Soure list

: 4aste the copied ADFS metadata "trimmed# te>t in the Te&tfield

; 7lic% Next.

Specify an alphanumeric value that identifies the card in theID field

,! Specify the image to be displayed on the card in the I$!*e field

,, Cpdate *dentity Server


11/15

To Add AD FS Server Tr!sted Certificate A!t"orit#

, Download 7A from the AD FS server

2 *n $AM Administration 7onsole0 select SecurityG Certiic!tes.

. Select "rusted #oots

B 7lic% I$%ortI nter the certificate name0 and browse for AD FS 7A

/ 7lic% 1

: 7lic% uploaded AD FS 7A

; 7lic% Addto "rusted Store and select config store

Cpdate *dentity Server

To Confi!re dentit# Provider in NAM

, Select AD FS *dentity 4rovider in the SAML 2.0tab

2 7lic%Authentic!tion C!rd GAuthentic!tion #e,uest

. Select $es!onse "rotool inding to "ST

B $AM *dentifier Format as Transient

I 7lic% &'.

/ Cpdate *dentity Server

Con*igure AD FS 2.0This section discusses'

Adding a 8elaying 4arty using metadata

diting 7laim 8ules for 8elaying 4arty Trust

Adding a $elaying "arty Using Metadata

The metadata import capability of AD FS 2! is used to create a 8elaying 4arty The metadata includes

the public %ey that is used to validate security to%ens that are signed by $AM

To Add a %ein Part# Usin Metadata

, *n AD FS 2!0 right-clic% the $elaying "arty Trustsfolder0 and then clic% Add $elaying "arty

Trustto start the Add 8elaying 4arty Trust 1iard

2 7lic% Start

. 3n the Selet Data Sourepage0 select *mport data about the claims provider from a file

B *n the Federation metadata *ile loation section0 clic% rose

I $avigate to the location where you saved namJmetadata>ml earlier0 clic% !enG Ne&t

/ *n the S!ei*y Dis!lay Namepage0 enter $AM >ample

: 7lic% Ne&tG Ne&tG Close


12/15

'diting Claim $ules *or a $elaying "arty Trust

This section describes how data from AD FS is used in the security to%en that is sent to $AM

To 'dit C&aim %!&e for a %e&a#in Part# Tr!st

, The 'dit Claim $ulesdialog bo> should already be open *f not0 in the AD FS 2! center pane0

under $elying "arty Trusts0 right-clic% NAM '&am!le0 and then clic% 'dit Claim $ules

2 *n the )ssuane Trans*orm $ulestab0 clic% Add $ule

. *n the Selet $ule Tem!latepage0 leave the Send &DA4 Attributes as 7laims option selected0

and then clic% Ne&t

B *n the Con*igure Claim $ulepage0 enter 9et attributes in the Claim rule namefield

I Select Active Directoryfrom the Attribute Storelist

/ *n the Ma!!ing o* LDA" attributessection0 create the following mappings

LDA" Attribute utgoing Claim Ty!e

Cser4rincipal$ame C4$

Mail -Mail Address

: 7lic% Finish

; *n the )ssuane Trans*orm $ulestab0 clic% Add $ule

*n the Selet $ule Tem!latepage0 select Transform an *ncoming 7laim9and then clic% Ne&t

,! *n the Con*igure Claim $ulepage0 use the following values

Name +alue

7laim rule name *ncoming $ame *D format

Transient $ame *D Mapping 8ule Transient *dentifier

Mail -Mail Address

,, 7lic% Finish

C"anin AD FS 2.0 Sinat!re A&orit"m

y default $AM uses the Secure 5ash Algorithm , "S5A-,# for signing operations0 and by default

AD FS 2! e>pects partners to use S5A-2I/ 4erform the following steps to setup AD FS 2! to e>pect

S5A-, for interoperability with $AM *dentity 4rovider

, *n AD FS 2!0 clic% Claims "ro(ider Trusts G right-clic% "ing '&am!le G"ro!erties

2 *n the Ad(anedtab0 select S5A6: in the Seure 5ash Algorithmlist

. 7lic% 1

Certi*iation Authority6)ssued Signing7'nry!tion Certi*iates


Disabling 78& 7hec%ing 3ption in &inu> *dentity 4rovider

Disabling 78& 7hec%ing 3ption in AD FS 2!


13/15

For more information about signing(encryption certificates0 see 7ertification Authority-*ssued

Signing(ncryption 7ertificates

Disa$&in C%+ C"ec,in -*tion in +in! dentit# Provider

, Modify the (var(opt(novell(tomcatI(conf(tomcatIconf file and add ANAJ34TS+OPQANAJ34TSR

-Dcomnovellnidpserver37S478&+falseO "*n $AM ., S4. and ., S4B#

2 Modifythe (var(opt(novell(tomcat:(conf(tomcat:conf file and add ANAJ34TS+OPQANAJ34TSR

-Dcomnovellnidpserver37S478&+falseO "*n $AM .2#

To Disa$&e C%+ C"ec,in -*tion


2 nter the following command in the 4owerShell command prompt'

set-ADFSCRelayingPartyTrust TargetName NA !"am#le$

SigningCerti%icateRe&ocationChec' None

AD FS 2.0 'nry!tion Strength*n AD FS 2!0 encryption of outbound assertions is enabled by default Assertion encryption occurs for any

8elying 4arty or service provider for which AS FS 2! possesses an encryption certificate

1hen it performs encryption0 AD FS 2! uses 2I/-bit Advanced ncryption Standard "AS# %eys0 or AS-

2I/ *n contrast0 by default 4ingFederate supports a wea%er algorithm "AS-,2;# Failing to reconcile

these conflicting defaults can result in failed SS3 attempts Alternatives for addressing this issue include

the following'

Disa$&in encr#*tion in AD FS 2.0

To disable the encryption in AD FS 2!0 complete the following steps'


2 nter the following command in the 1indows 4owerShell command prompt'

set-ADFSRelyingPartyTrust TargetName NA !"am#le$

!ncry#tClaims (False


14/15

$e*erenes% AD FS 2.0 asis


Con*iguring the to,en6dery!ting erti*iate

Adding 7A certificates at AD FS 2!

Debugging AD FS 2.0

Con*iguring the To,en6dery!ting Certi*iate, 3pen the AD FS 2! Management tool0 clic% Start GAdministrati(e Tools GAD FS 2.0

Management

2 3n the left-pane0 e>pand the Ser(iefolder and clic% Certi*iates

. *n the Certi*iatessection0 select Add To,en6Dery!ting Certi*iate

1hile configuring the To%e-decrypting certificate0 an error may occur prompting to run thefollowing 4owerShell commands'

A))-PSSna#in icroso%t.A)%s.Po*erShell

Set-ADFSPro#erties -AutoCerti%icateRollo&er (%alse

8un these to select other certificate The certificate must be installed on the server The

certificates are configured on the **S Manager'

B 7lic% Start GAdministrati(e Tools G)nternet )n*ormation Ser(ies ;))S< Manager

I 7lic% Ser(erName

/ 7lic% Ser(er Certi*iatesin the ))SSection

Adding CA Certi*iates to AD FS 2.0, *n 1indows0 Start G$un Gmm

2 Attach snapshot certificates as service

. Select AD FS

B *mport 7A certificate to trusted authorities

Debugging AD FS 2.0,/ *n vent Niewer0 clic% A!!liations GAD FS

,: ?ou can access the trouble shooting help here'

,; http'((technetmicrosoftcom(en-us(library(adfs2-troubleshooting-certificate-problems

2;1S,!2asp>

, http'((/BB,,2I2(fr-fr(library(adfs2-troubleshooting-certificate-problems2;1S,!2asp>
http://technet.microsoft.com/en-us/library/adfs2-troubleshooting-certificate-problems(WS.10).aspxhttp://technet.microsoft.com/en-us/library/adfs2-troubleshooting-certificate-problems(WS.10).aspxhttp://64.4.11.252/fr-fr/library/adfs2-troubleshooting-certificate-problems(WS.10).aspxhttp://technet.microsoft.com/en-us/library/adfs2-troubleshooting-certificate-problems(WS.10).aspxhttp://technet.microsoft.com/en-us/library/adfs2-troubleshooting-certificate-problems(WS.10).aspxhttp://64.4.11.252/fr-fr/library/adfs2-troubleshooting-certificate-problems(WS.10).aspx


15/15

Power S"e&& Commands /e&*

2! http'((technetmicrosoftcom(en-us(library(adfs2-help-using-windows-powershell2;1S,!2asp>

2, http'((technetmicrosoftcom(en-us(library(adfs2-powershell-e>amples2;1S,!2asp>
http://technet.microsoft.com/en-us/library/adfs2-help-using-windows-powershell(WS.10).aspxhttp://technet.microsoft.com/en-us/library/adfs2-powershell-examples(WS.10).aspxhttp://technet.microsoft.com/en-us/library/adfs2-help-using-windows-powershell(WS.10).aspxhttp://technet.microsoft.com/en-us/library/adfs2-powershell-examples(WS.10).aspx

ADFS 2.0 Configuration ADFS ClaimProvider

Documents

Transcript of ADFS 2.0 Configuration ADFS ClaimProvider