Step 6: Configure Fabrikam to federate and issue tokens to Contoso

  • Article

Applies To: Active Directory Federation Services (AD FS) 2.0

Step 6: Configure Fabrikam to federate and issue tokens to Contoso

In this step, we configure the federation server at Fabrikam to issue tokens to the federation server at Contoso to enable federation; that is, we add the Contoso federation server as a relying party on the Fabrikam federation server. We also configure the claims that the federation server at Fabrikam should send to the federation server at Contoso.

To add the Contoso federation server as a relying party on the Fabrikam federation server

  1. Log on to the FABRIKAMSRV01 computer as FABRIKAM\Administrator with "demo!23" as the user password.

  2. Open the AD FS 2.0 Management console. On the Start menu, click Administrative Tools, and then click AD FS 2.0 Management.

  3. After the snap-in is loaded, in the right pane, click the link Required: Add a trusted relying party.

  4. The Add Relying Party Wizard opens, as shown in the following illustration. Click Start to begin adding the SharePoint site as a relying party.

  5. On the Select Data Source page, keep the default option selected, click Import data about the relying party published online or on a local network, type sts1.contoso.com, and then click Next.

  6. On the Specify Display Name page, type Contoso STS for a display name, and click Next.

  7. Complete the rest of the wizard with the default options selected. Click Close at the end to start the Rules Editor.

To configure claims for the Contoso federation server relying party

  1. In the Rules Editor, click Add Rule.

  2. In the Select Rule Template page, keep the default option Send LDAP Attributes as Claims selected, and then click Next.

  3. On the Configuration Rule page, type Outgoing Email address claim in the Claim rule Name field. For the Attribute store, select Active Directory. In the LDAP Attribute column, select E-Mail-Addresses for the outgoing E-Mail Address claim, and then click Finish.

    Add another rule so that Role claim is sent only if the user belongs to the DrugTrial1Auditors group and the value for that claim is going to be DrugTrial1Auditors. To add this rule:

  4. Click Add Rule.

  5. In the drop-down menu, select Send Group Membership as a Claim, and then click Next.

  6. For the Claim rule name, type Send Role Claim.

  7. Then, click Browse, type DrugTrial1Auditors, click Check Names, and then click OK.

  8. For the outgoing claim type, select Role and for outgoing claim value, type DrugTrial1Auditors, and then click Finish.

  9. Click OK to close the Rules Editor.

To verify that the Fabrikam identity provider is working properly

  1. Remain logged on to the FABRIKAMSRV01 computer as FABRIKAM\Administrator.

  2. Open Internet Explorer (make sure no other instances of Internet Explorer were already open), and navigate to the docs site at https://docs.contoso.com, which redirects you to the STS login page.

  3. At the Contoso STS sign-in page, select Fabrikam Identity Provider from the drop-down list, and then click Continue to Sign In.

  4. On the Fabrikam sign-in page, sign in using the credentials of Frank Miller with the username fabrikam\frankm and password demo!23.

After you are signed in, you will be redirected to the SharePoint site with read-only access to the site. This is because the group, DrugTrial1Auditors, that FrankM belongs to, has visitor-only access to the site.