ADFS 2.0 Configuration ADFS ClaimProvider
-
Upload
servergeeks -
Category
Documents
-
view
224 -
download
0
Transcript of ADFS 2.0 Configuration ADFS ClaimProvider
-
8/13/2019 ADFS 2.0 Configuration ADFS ClaimProvider
1/15
About This GuideThis guide provides step-by-step instructions for configuring a basic identity federation deployment
between Microsoft Active Directory Federation Services 2! "AD FS 2!# and $ovell Access Manager
"$AM# by using the Security Assertion Mar%up &anguage "SAM 2! "http'((gomicrosoftcom(fwlin%()&in%*d+,./# protocol0 specifically its 1eb rowser SS3 4rofile and 5TT4 43ST binding
Terminology Used in This Guide
Throughout this document0 there are numerous references to federation concepts that are called by
different names in AD FS 2! and SAM& documentation The following table assists in drawing parallels
between the two concepts
AD FS 2.0 Name SAML Name Cone!t
Security To%en Assertion A pac%age of security information0 describing a
user0 created and consumed during a federated
access re6uest
7laims 4rovider *dentity 4rovider
"*D4#
4artner in a federation that creates security
to%ens for users
8elying 4arty Service 4rovider
"S4#
4artner in a federation that consumes security
to%ens for providing access to applications
7laims Assertion
attributes
Data about users that is sent inside security
to%ens
*n this deployment0 you have the option to configure one or both of the following two scenarios'
AD FS 2! as 7laims 4rovider and $AM as 8elying 4arty
$AM as 7laims or *dentity 4rovider and ADFS 2! as 8elying 4arty or Service 4rovider
"rere#uisites and $e#uirements, Two servers0 one to host AD FS 2! and the other to host $AM
2 AD FS 2! is deployed' The test deployment that was created in theAD FS 2! Federation with a
1*F Application Step-by-Step 9uide"http'((gomicrosoftcom(fwlin%()&in%*d+,.:# is used as
starting point for this lab That lab uses a single 1indows Server 2!!; 82 instance
"fswebcontosocom# to host both the AD FS 2! federation server and a 1indows *dentityFoundation "1*F# sample application *t presumes the availability of a
-
8/13/2019 ADFS 2.0 Configuration ADFS ClaimProvider
2/15
Note%?ou can download the evaluation version of $AM from $ovell@s download portal
"http'((downloadnovellcom#
Linu& 'n(ironment
$AM nvironment' $AM ., S4B or .2' S&S ,, S4, /B bitNote%$AM supports both 1indows and &inu> *n this guide0 we will discuss the identity federation
deployment in the &inu> environment
'nsure )" Conneti(ity
nsure that $AM "name>amplecom# and AD FS 2! "fswebcontosocom# systems have *4 connectivity
between them The 7ontosocom domain controller0 if running on a separate computer0 does not re6uire
*4 connectivity to the $AM system
*f $AM firewall is set up0 open the ports re6uired for the *dentity Server to communicate with
Administration 7onsole For more information about these ports0 seeSetting Cp Firewallsin $ovellAccess Manager ., S4B Setup 9uide
For 5TT4S communication0 you can use iptables to configure this for T74 ;BB. or BB. See Translating
the *dentity Server 7onfiguration 4ortin $ovell Access Manager ., S4B *dentity Server 9uide
For bac%-channel communication with cluster members0 you need to open two consecutive ports for the
cluster0 for e>ample :;!, and :;!2 The initial port ":;!,# is configurable See 7onfiguring a 7luster with
Multiple *dentity Serversin $ovell Access Manager ., S4B *dentity Server 9uide
Con*igure Name $esolution
The hosts file on the AD FS 2! computer "fswebcontosocom# is used to configure name resolution of
the partner federation servers and sample applications
+eri*y Clo, Synhroni-ationFederation events have a short time to live "TT To avoid errors based on time-outs0 ensure that both
computers have their cloc%s synchronied
Note%For information about how to synchronie a 1indows Server 2!!; 82 domain controller to
an *nternet time server0 see article ;,/!B2in the Microsoft Enowledge ase
"http'((gomicrosoftcom(fwlin%()&in%*D+/!B!2#
3n S&S ,,0 use the command sntp -4 no -p poolntporg to synchronie time with the *nternettime server
http://www.novell.com/documentation/novellaccessmanager31/basicconfig/data/b651hwh.htmlhttp://www.novell.com/documentation/novellaccessmanager31/basicconfig/data/b651hwh.htmlhttp://www.novell.com/documentation/novellaccessmanager31/basicconfig/data/b651hwh.htmlhttp://www.novell.com/documentation/novellaccessmanager31/basicconfig/?page=/documentation/novellaccessmanager31/basicconfig/data/bookinfo.htmlhttp://www.novell.com/documentation/novellaccessmanager31/basicconfig/?page=/documentation/novellaccessmanager31/basicconfig/data/bookinfo.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/data/b6fyxpk.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/data/b6fyxpk.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/data/b6fyxpk.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/?page=/documentation/novellaccessmanager31/identityserverhelp/data/bookinfo.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/?page=/documentation/novellaccessmanager31/identityserverhelp/data/bookinfo.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/data/bfcvfuj.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/data/bfcvfuj.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/?page=/documentation/novellaccessmanager31/identityserverhelp/data/bookinfo.htmlhttp://go.microsoft.com/fwlink/?LinkID=60402http://go.microsoft.com/fwlink/?LinkID=60402http://www.novell.com/documentation/novellaccessmanager31/basicconfig/data/b651hwh.htmlhttp://www.novell.com/documentation/novellaccessmanager31/basicconfig/?page=/documentation/novellaccessmanager31/basicconfig/data/bookinfo.htmlhttp://www.novell.com/documentation/novellaccessmanager31/basicconfig/?page=/documentation/novellaccessmanager31/basicconfig/data/bookinfo.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/data/b6fyxpk.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/data/b6fyxpk.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/?page=/documentation/novellaccessmanager31/identityserverhelp/data/bookinfo.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/data/bfcvfuj.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/data/bfcvfuj.htmlhttp://www.novell.com/documentation/novellaccessmanager31/identityserverhelp/?page=/documentation/novellaccessmanager31/identityserverhelp/data/bookinfo.htmlhttp://go.microsoft.com/fwlink/?LinkID=60402http://go.microsoft.com/fwlink/?LinkID=60402 -
8/13/2019 ADFS 2.0 Configuration ADFS ClaimProvider
3/15
Con*iguring NAM as Claims or )dentity "ro(iderand AD FS 2.0 as $elying "arty or Ser(ie
"ro(iderThis section e>plains how to configure a setup in which a user "using $AM# gets federated access to the
1*F sample application through AD FS 2! This setup uses the SAM& 2! 43ST profile
This section includes'
7onfiguring $AM
7onfiguring AD FS 2!
$ote'
Con*iguring NAMThis section includes'
Adding a new service provider connection using metadata
>port *dentity 4rovider metadata to a file
Note%To deploy this identity federation for $AM ., S4. and above0 create a new contract with uri
ml
2 Save the AD FS metadata file
. 3pen the saved AD FS metadata file in $otepad0 1ord4ad0 or any >ml editor#
B 8emove the 8oleDescriptorG tags from metadata For e>ample0 remove the following tabs'
8oleDescriptor >si'type+=fed'ApplicationServiceType=
protocolSupportnumeration+http'(( HHG HHH(8oleDescriptorG
8oleDescriptor >si'typ+=fed'SecurityTo%enServiceType=
protocolSupportnumeration+http'(( HHHG (8oleDescriptorG
I Save the changes
To Add a New Service Provider Connection Usin Metadata
, *n $AM Administration 7onsole0 select Devices G Identity Server GEdit G SAML 2.0
2 7lic% NewGAdd Service Provider
-
8/13/2019 ADFS 2.0 Configuration ADFS ClaimProvider
4/15
. Specify a name by which you want to refer to the provider in the Namefield
B Select Metadata Te>t from the Sourelist
I 4aste the copied AD FS metadata "trimmed one# in the Te&tfield
/ 7lic% Next > Finish.
: Cpdate*dentity Server.
To Add AD FS Server Tr!sted Certificate A!t"orit#
, Download 7ertificate Authority "7A# from the AD FS server
2 *n the $AM Administration 7onsole0 select SecurityG Certiic!tes > "rusted #oots
. 7lic% I$%ort
B Specify a name for the certificate and browse for ADFS 7A
I 7lic% &'.
/ 7lic% U!loaded AD FS CA
: 7lic% Add to "rusted Store and select on*ig store
; Cpdate *dentity Server
To Create Attri$!te Set in NAM
, *n the $AM Administration 7onsole0 select De(ies / )dentity Ser(ers / Shared SettingsG
Attribute Sets /clic% Ne
2 4rovide the attribute set name as adfs-attributes
. 7lic% Ne&twith the default selections
B *n the Create Attribute Setsection0 clic% Ne
I Select ldapattribute mail from the Loal attribute list
/ Specify email in the $emote attributefield: Selecthttp'((schemas>mlsoaporg(ws(2!!I(!I(identity(claims(from the $emote names!aelist
; 7lic% 1
8epeat steps /-,! to add the cn attribute
,! 7lic% Ne
,, Select ldapattribute cn from the Loal attributelist
,2 Specify name in the $emote attributefield
,. Selecthttp'((schemas>mlsoaporg(ws(2!!I(!I(identity(claims(from the $emote names!aelist
,B 7lic% 1
,I Cpdate *dentity Server
To Confi!re a Service Provider in NAM
, Select ADFS service provider in the SAML 2.0tab
2 7lic% Authentiation $es!onse
. Select inding to "ST
B Specify the name identifier format default value0 select unspecified along with the defaults
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/http://schemas.xmlsoap.org/ws/2005/05/identity/claims/http://schemas.xmlsoap.org/ws/2005/05/identity/claims/http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ -
8/13/2019 ADFS 2.0 Configuration ADFS ClaimProvider
5/15
I 7lic% Attributes
/ Select adfs-attributes from the Attribute setlist
: Select re6uired attributes to be send with authentication from right to left "for e>ample0 mail0 cn
attributes#
; 7lic% 1
Cpdate *dentity Server
'&!ort )dentity "ro(ider Metadata to a File
Access https'((*dentityserver *4 ( dns nameGG';BB.(nidp(saml2(metadata in a browser and save the
page as an >ml file For e>ample' namJmetadata>ml AD FS 2! will use this file to automate set up of
the $AM 7laims 4rovider instance
Con*iguring AD FS 2.0This section includes'
Adding a claims provider using metadata
diting claim rules for claims provider trust
diting claim rules for the 1*F Sample Application
7hanging AD FS 2! Signature Algorithm
Adding a Claims "ro(ider Using Metadata
Cse the metadata import capabilities of AD FS 2! to create the >amplecom claims provider The
metadata includes the public %ey that is used to validate security to%ens signed by $AM
To Add a %ein Part# Usin Metadata, *n AD FS 2!0 in the console tree0 right-clic% the C(!i$s Provider "rustsfolder0 and then clic%
Add C(!i$s Provider "rustto start the Add 7laims 4rovider Trust 1iard
2 7lic% St!rt
. 3n the Se(ect D!t! Sourcepage0 select *mport data about the claims provider from a file.
B *n the Federation metadata file location field0 clic% )rowse.
I $avigate to the location where you saved namJmetadata>ml earlier0 clic% &%en0 and then clic%
Next.
/ *n the S%eciy Dis%(!y N!$epage0 enter NAM '&am!le
: 7lic%Next > Ne&t /
Close
'diting Claim $ules *or a Claims "ro(ider Trust
The following claim rule describes how the data from $AM is used in the security to%en that is sent to the
1*F sample application
-
8/13/2019 ADFS 2.0 Configuration ADFS ClaimProvider
6/15
To 'dit C&aim %!&e for a C&aims Provider Tr!st
, 3pen the 'dit Claim $uleswindow 3r0 in the AD FS 2! center pane0 under Claims "ro(ider
Trusts0 right-clic% NAM '&am!le0 and then clic% 'dit Claim $ules
2 *n the Ae!tane Trans*orm $ulestab0 clic% Add $ule
. *n the Selet $ule Tem!late page0 select the 4ass Through or Filter an *ncoming 7laim optionB 7lic% Ne&t
I *n the Con*igure Claim $ulepage0 use the following values'
Name +alue
7laim rule name $ame *D 8ule
*ncoming claim type $ame *D
*ncoming name *D format Cnspecified
/ Select the 4ass through all claim values and clic% Finish
: 7lic%Add #u(e; *n the Se(ect #u(e "e$%(!tepage0 select the Pass Through or Filter an Incoming Claimoption
7lic% Next.
,! *n the Coni*ure C(!i$ #u(epage0 in C(!i$ ru(e n!$e0 use the following values
Name +alue
7laim rule name $ame 8ule
*ncoming claim type $ame
,, &eave the 4ass through all claim values option selected and clic% Finish
,2 To ac%nowledge the security warning0 clic%3es,. 7lic% 1
'diting Claim $ules *or the 4)F Sam!le A!!liation
At this point0 incoming claims have been received at AD FS 2!0 but rules that describe what to send to
the 1*F sample application have not yet been created dit the e>isting claim rules for the sample
application to ta%e into account the new $AM e>ternal claims provider
To 'dit t"e C&aim %!&es for t"e F Sam*&e A**&ication
, *n AD FS 2!0 clic% #e(yin* P!rty "rusts.
2 8ight-clic% +IF S!$%(e A%%and then clic% Edit C(!i$ #u(es.
. *n the Issu!nce "r!nsor$ #u(estab0 clic%Add #u(e.
B *n the Se(ect #u(e "e$%(!tepage0 clic%P!ss "hrou*h or Fi(ter !n Inco$in* C(!i$>Next
I *n the Con*igure Claim $ulepage0 enter the following values
-
8/13/2019 ADFS 2.0 Configuration ADFS ClaimProvider
7/15
Name +alue
7laim rule name 4ass $ame 8ule
*ncoming claim type $ame
/ &eave theP!ss throu*h !(( c(!i$ v!(uesoption selected0 and then clic% Finish.
: *n the Issu!nce "r!nsor$ #u(estab0 clic%Add #u(e.
; *n the Se(ect #u(e "e$%(!tepage0 clic%P!ss "hrou*h or Fi(ter !n Inco$in* C(!i$
7lic% Next.
,! *n the Coni*ure C(!i$ #u(epage0 enter the following values
Name +alue
7laim rule name 4ass $ame *D 8ule
*ncoming claim type $ame *D
*ncoming $ame *D
format
Cnspecified
,, &eave theP!ss throu*h !(( c(!i$ v!(uesoption selected0 and then clic% Finish.
,2 7lic% &'.
Note%*f you configured the optional Step /' 7hange Authoriation 8ules when you were testing the
original AD FS 2! with 1*F Step-by-Step 9uide deployment0 ensure that you add bac% the"ermit All
Usersissuance authoriation rules for the 1*F sample application before testing this scenario 3r0 as an
alternative0 add a new "ermit or Deny Users ased on an )noming Claimrule allowing incoming
$ame *D + KohnLe>amplecom to access the application
Changing AD FS 2.0 Signature Algorithmy default0 $AM uses the Secure 5ash Algorithm , "S5A-,# for signing operations y default0 AD FS 2!
e>pects partners to use S5A-2I/ 7omplete the following steps to set AD FS 2! to e>pect S5A-, for
interoperability with $AM
Note%The same procedure is recommended for AD FS 2! 8elying 4arty Trusts that use $AM *f the
$AM S4 signs authn8e6uests0 artifact resolution re6uests0 or logout re6uests0 AD FS 2! errors will occur
unless this signature algorithm setting is changed
To C"ane AD FS 2.0 Sinat!re A&orit"m
, *n AD FS 2!0 clic% Claims "ro(ider Trusts
2 8ight-clic% NAM '&am!leG "ro!erties. *n theAdv!ncedtab0 select S5A-, in the Seure 5ash Algorithmlist
B 7lic% &'.
-
8/13/2019 ADFS 2.0 Configuration ADFS ClaimProvider
8/15
Certi*iation Authority6)ssued Signing7'nry!tion Certi*iates
For security reasons0 production federation deployments re6uire the use of digitally signed security
to%ens0 and as an option allow encryption of security to%en contents Self-signed private %ey certificates0
which are generated from inside the AD FS 2! and $AM products0 are used for signing security to%ens
As an alternative0 organiations can use a private %ey certificate that is issued by a certificate authority
"7A# for signing and encryption The primary benefit of using certificates is that a 7A issues is the ability
to chec% for possible certificate revocation against the certificate revocation list "78 from the issuing
7A
oth in AD FS 2! and in $AM0 78& chec%ing is enabled by default for all partner connections0 if the
certificate being used by the partner includes a 78& Distribution 4oint "7D4# e>tension This has
implications in federation deployments between $AM and AD FS 2!'
*f a signing(encryption certificate provided by one side of a federation includes a 7D4 e>tension0 that
location must be accessible by the other side@s federation server 3therwise0 78& chec%ing fails0
resulting in a failed access attempt $ote that 7D4 e>tensions are added by default to certificates that
are issued by Active Directory 7ertificate Services "AD 7S# in 1indows Server 2!!; 82
*f the signing(encryption certificate does not include a 7D4 e>tension0 no 78& chec%ing is performedby AD FS 2! or $AM
To Disa$&e C%+ C"ec,in -*tion
*n &inu> *dentity 4rovider'
, Modify the (var(opt(novell(tomcatI(conf(tomcatIconf file and add ANAJ34TS+OPQANAJ34TSR
-Dcomnovellnidpserver37S478&+falseO "*n $AM ., S4. and ., S4B#
2 Modify the (var(opt(novell(tomcat:(conf(tomcat:conf file and add ANAJ34TS+OPQANAJ34TSR
-Dcomnovellnidpserver37S478&+falseO "*n $AM .2#
*n AD FS 2!'
, 7lic% Start G Administrati(e Tools G 4indos "oerShell Modules
2 nter the following command in the 4owerShell command prompt'
set-ADFSClaimsProviderTrust TargetName NAM Example
SigningCertii!ate"evo!ationC#e!$ None
Note%?ou can ma%e many configuration changes to AD FS 2! using the 1indows 4owerShell
command-line and scripting environment For more information0 see theAD FS 2! 1indows 4owerShell
Administrationsection of the AD FS 2! 3perations 9uide "http'((gomicrosoftcom(fwlin%()&in%*d+,B!!I#
and theAD FS 2! 7mdlets 8eference "http'((gomicrosoftcom(fwlin%()&in%*d+,::.;#
http://go.microsoft.com/fwlink/?LinkId=194005http://go.microsoft.com/fwlink/?LinkId=194005http://go.microsoft.com/fwlink/?LinkId=194005http://go.microsoft.com/fwlink/?LinkId=177389http://go.microsoft.com/fwlink/?LinkId=177389http://go.microsoft.com/fwlink/?LinkId=194005http://go.microsoft.com/fwlink/?LinkId=194005http://go.microsoft.com/fwlink/?LinkId=177389http://go.microsoft.com/fwlink/?LinkId=177389 -
8/13/2019 ADFS 2.0 Configuration ADFS ClaimProvider
9/15
Test NAM as Claims "ro(ider and AD FS 2.0 as$elying "arty
*n this scenario0 ohn from >amplecom accesses the 7ontoso 1*F sample application
Note%7lear all the coo%ies in *nternet >plorer on the AD FS 2! computer "fswebcontosocom#
To clear the coo%ies0 clic% Tools G )nternet !tions G Delete underrosing 5istory0 and then
select coo%ies for deletion
Accessin t"e F Sam*&e A**&ication
, 3n the AD FS 2! computer0 open a browser window0 and then navigate to
https'((fswebcontosocom(7laimsAware1ebApp1ithManagedSTS(defaultasp>
2 The first page prompts you to select your organiation from a list
Select $AM >ample0 and then clic% 7ontinue to sign in
Note%This page did not appear in the previous e>ample when you were redirected to AD FS 2!
This is because at that point there was only one *dentity 4rovider registered in AD FS 2! 1hen
only one *dentity 4rovider is available0 AD FS 2! forwards the re6uest to that *dentity 4rovider by
default
. The $AM login page appears nter the user name8ohn0typethe password test9and then clic%
Lo*in.
-
8/13/2019 ADFS 2.0 Configuration ADFS ClaimProvider
10/15
Con*iguring AD FS 2.0 as Claims or )dentity"ro(ider and NAM as $elying "arty or Ser(ie
"ro(iderThis section e>plains how to configure an application through AD FS 2! that gets federated access to an
application using $ovell Access Manager "$AM# The setup uses the SAM& 2! 43ST profile
Con*iguring NAMThis section discusses how to add a new *dentity 4rovider connection using metadata
Adding a Ne )dentity "ro(ider Connetion Using Metadata
AD FS metadata is used to add an identity provider using AD FS 2! in to $AM
To Get AD FS 2.0 Metadata
, Access AD FS server metadata C8& https'((ADFS hostname or *4(FederationMetadata(2!!:-
!/(FederationMetadata>ml
2 Save AD FS metadata data
. 3pen the AD FS metadata file in $otepad "or 1ord4ad or >ml editor#
B 8emove the 8oleDescriptorG tags from metadata
For e>ample0 remove the following tags'
8oleDescriptor >si'type+=fed'ApplicationServiceType= protocolSupportnumeration+http'(( HHG HHH(8oleDescriptorG
8oleDescriptor >si'type+=fed'SecurityTo%enServiceType= protocolSupportnumeration+http'(( HHHG (8oleDescriptorG
I Save the changes
To Add a New dentit# Provider Connection Usin Metadata
, *n $AM Administrative 7onsole0 select Devices G Identity Server.
2 7lic% Edit.
. Select SAML 2.0
B 7lic% NewG Identity 4rovider
I nter the name as ADFS in the Namefield
/ Select Metadata Te>t from the Soure list
: 4aste the copied ADFS metadata "trimmed# te>t in the Te&tfield
; 7lic% Next.
Specify an alphanumeric value that identifies the card in theID field
,! Specify the image to be displayed on the card in the I$!*e field
,, Cpdate *dentity Server
-
8/13/2019 ADFS 2.0 Configuration ADFS ClaimProvider
11/15
To Add AD FS Server Tr!sted Certificate A!t"orit#
, Download 7A from the AD FS server
2 *n $AM Administration 7onsole0 select SecurityG Certiic!tes.
. Select "rusted #oots
B 7lic% I$%ortI nter the certificate name0 and browse for AD FS 7A
/ 7lic% 1
: 7lic% uploaded AD FS 7A
; 7lic% Addto "rusted Store and select config store
Cpdate *dentity Server
To Confi!re dentit# Provider in NAM
, Select AD FS *dentity 4rovider in the SAML 2.0tab
2 7lic%Authentic!tion C!rd GAuthentic!tion #e,uest
. Select $es!onse "rotool inding to "ST
B $AM *dentifier Format as Transient
I 7lic% &'.
/ Cpdate *dentity Server
Con*igure AD FS 2.0This section discusses'
Adding a 8elaying 4arty using metadata
diting 7laim 8ules for 8elaying 4arty Trust
Adding a $elaying "arty Using Metadata
The metadata import capability of AD FS 2! is used to create a 8elaying 4arty The metadata includes
the public %ey that is used to validate security to%ens that are signed by $AM
To Add a %ein Part# Usin Metadata
, *n AD FS 2!0 right-clic% the $elaying "arty Trustsfolder0 and then clic% Add $elaying "arty
Trustto start the Add 8elaying 4arty Trust 1iard
2 7lic% Start
. 3n the Selet Data Sourepage0 select *mport data about the claims provider from a file
B *n the Federation metadata *ile loation section0 clic% rose
I $avigate to the location where you saved namJmetadata>ml earlier0 clic% !enG Ne&t
/ *n the S!ei*y Dis!lay Namepage0 enter $AM >ample
: 7lic% Ne&tG Ne&tG Close
-
8/13/2019 ADFS 2.0 Configuration ADFS ClaimProvider
12/15
'diting Claim $ules *or a $elaying "arty Trust
This section describes how data from AD FS is used in the security to%en that is sent to $AM
To 'dit C&aim %!&e for a %e&a#in Part# Tr!st
, The 'dit Claim $ulesdialog bo> should already be open *f not0 in the AD FS 2! center pane0
under $elying "arty Trusts0 right-clic% NAM '&am!le0 and then clic% 'dit Claim $ules
2 *n the )ssuane Trans*orm $ulestab0 clic% Add $ule
. *n the Selet $ule Tem!latepage0 leave the Send &DA4 Attributes as 7laims option selected0
and then clic% Ne&t
B *n the Con*igure Claim $ulepage0 enter 9et attributes in the Claim rule namefield
I Select Active Directoryfrom the Attribute Storelist
/ *n the Ma!!ing o* LDA" attributessection0 create the following mappings
LDA" Attribute utgoing Claim Ty!e
Cser4rincipal$ame C4$
Mail -Mail Address
: 7lic% Finish
; *n the )ssuane Trans*orm $ulestab0 clic% Add $ule
*n the Selet $ule Tem!latepage0 select Transform an *ncoming 7laim9and then clic% Ne&t
,! *n the Con*igure Claim $ulepage0 use the following values
Name +alue
7laim rule name *ncoming $ame *D format
Transient $ame *D Mapping 8ule Transient *dentifier
Mail -Mail Address
,, 7lic% Finish
C"anin AD FS 2.0 Sinat!re A&orit"m
y default $AM uses the Secure 5ash Algorithm , "S5A-,# for signing operations0 and by default
AD FS 2! e>pects partners to use S5A-2I/ 4erform the following steps to setup AD FS 2! to e>pect
S5A-, for interoperability with $AM *dentity 4rovider
, *n AD FS 2!0 clic% Claims "ro(ider Trusts G right-clic% "ing '&am!le G"ro!erties
2 *n the Ad(anedtab0 select S5A6: in the Seure 5ash Algorithmlist
. 7lic% 1
Certi*iation Authority6)ssued Signing7'nry!tion Certi*iates
This section includes'
Disabling 78& 7hec%ing 3ption in &inu> *dentity 4rovider
Disabling 78& 7hec%ing 3ption in AD FS 2!
-
8/13/2019 ADFS 2.0 Configuration ADFS ClaimProvider
13/15
For more information about signing(encryption certificates0 see 7ertification Authority-*ssued
Signing(ncryption 7ertificates
Disa$&in C%+ C"ec,in -*tion in +in! dentit# Provider
, Modify the (var(opt(novell(tomcatI(conf(tomcatIconf file and add ANAJ34TS+OPQANAJ34TSR
-Dcomnovellnidpserver37S478&+falseO "*n $AM ., S4. and ., S4B#
2 Modifythe (var(opt(novell(tomcat:(conf(tomcat:conf file and add ANAJ34TS+OPQANAJ34TSR
-Dcomnovellnidpserver37S478&+falseO "*n $AM .2#
To Disa$&e C%+ C"ec,in -*tion
, 7lic% Start G Administrati(e Tools G 4indos "oerShell Modules
2 nter the following command in the 4owerShell command prompt'
set-ADFSCRelayingPartyTrust TargetName NA !"am#le$
SigningCerti%icateRe&ocationChec' None
AD FS 2.0 'nry!tion Strength*n AD FS 2!0 encryption of outbound assertions is enabled by default Assertion encryption occurs for any
8elying 4arty or service provider for which AS FS 2! possesses an encryption certificate
1hen it performs encryption0 AD FS 2! uses 2I/-bit Advanced ncryption Standard "AS# %eys0 or AS-
2I/ *n contrast0 by default 4ingFederate supports a wea%er algorithm "AS-,2;# Failing to reconcile
these conflicting defaults can result in failed SS3 attempts Alternatives for addressing this issue include
the following'
Disa$&in encr#*tion in AD FS 2.0
To disable the encryption in AD FS 2!0 complete the following steps'
, 7lic% Start G Administrati(e Tools G 4indos "oerShell Modules
2 nter the following command in the 1indows 4owerShell command prompt'
set-ADFSRelyingPartyTrust TargetName NA !"am#le$
!ncry#tClaims (False
-
8/13/2019 ADFS 2.0 Configuration ADFS ClaimProvider
14/15
$e*erenes% AD FS 2.0 asis
This section includes'
Con*iguring the to,en6dery!ting erti*iate
Adding 7A certificates at AD FS 2!
Debugging AD FS 2.0
Con*iguring the To,en6dery!ting Certi*iate, 3pen the AD FS 2! Management tool0 clic% Start GAdministrati(e Tools GAD FS 2.0
Management
2 3n the left-pane0 e>pand the Ser(iefolder and clic% Certi*iates
. *n the Certi*iatessection0 select Add To,en6Dery!ting Certi*iate
1hile configuring the To%e-decrypting certificate0 an error may occur prompting to run thefollowing 4owerShell commands'
A))-PSSna#in icroso%t.A)%s.Po*erShell
Set-ADFSPro#erties -AutoCerti%icateRollo&er (%alse
8un these to select other certificate The certificate must be installed on the server The
certificates are configured on the **S Manager'
B 7lic% Start GAdministrati(e Tools G)nternet )n*ormation Ser(ies ;))S< Manager
I 7lic% Ser(erName
/ 7lic% Ser(er Certi*iatesin the ))SSection
Adding CA Certi*iates to AD FS 2.0, *n 1indows0 Start G$un Gmm
2 Attach snapshot certificates as service
. Select AD FS
B *mport 7A certificate to trusted authorities
Debugging AD FS 2.0,/ *n vent Niewer0 clic% A!!liations GAD FS
,: ?ou can access the trouble shooting help here'
,; http'((technetmicrosoftcom(en-us(library(adfs2-troubleshooting-certificate-problems
2;1S,!2asp>
, http'((/BB,,2I2(fr-fr(library(adfs2-troubleshooting-certificate-problems2;1S,!2asp>
http://technet.microsoft.com/en-us/library/adfs2-troubleshooting-certificate-problems(WS.10).aspxhttp://technet.microsoft.com/en-us/library/adfs2-troubleshooting-certificate-problems(WS.10).aspxhttp://64.4.11.252/fr-fr/library/adfs2-troubleshooting-certificate-problems(WS.10).aspxhttp://technet.microsoft.com/en-us/library/adfs2-troubleshooting-certificate-problems(WS.10).aspxhttp://technet.microsoft.com/en-us/library/adfs2-troubleshooting-certificate-problems(WS.10).aspxhttp://64.4.11.252/fr-fr/library/adfs2-troubleshooting-certificate-problems(WS.10).aspx -
8/13/2019 ADFS 2.0 Configuration ADFS ClaimProvider
15/15
Power S"e&& Commands /e&*
2! http'((technetmicrosoftcom(en-us(library(adfs2-help-using-windows-powershell2;1S,!2asp>
2, http'((technetmicrosoftcom(en-us(library(adfs2-powershell-e>amples2;1S,!2asp>
http://technet.microsoft.com/en-us/library/adfs2-help-using-windows-powershell(WS.10).aspxhttp://technet.microsoft.com/en-us/library/adfs2-powershell-examples(WS.10).aspxhttp://technet.microsoft.com/en-us/library/adfs2-help-using-windows-powershell(WS.10).aspxhttp://technet.microsoft.com/en-us/library/adfs2-powershell-examples(WS.10).aspx