Step 4: Configuring the Federation Servers

  • Article

Applies To: Windows Server 2008

Now that you have installed Active Directory Federation Services (AD FS) and you have configured the Web server for the sample claims-aware application, next you configure the Federation Service on the federation servers for both Trey Research and the A. Datum Corporation. In this step, you:

  • Make the Federation Service for Trey Research aware of the claims-aware application.

  • Add account stores and group claims to the appropriate Federation Service.

  • Configure each of the group claims so that they map to an Active Directory Domain Services (AD DS) group in the appropriate forest.

This step consists of the following tasks:

  • Configure the Federation Service for A. Datum Corporation

  • Configure the Federation Service for Trey Research

  • Creating both sides of the federated trust using import and export functionality

Administrative credentials

To perform all the procedures in this step, log on to the adfsaccount computer and the adfsresource computer with the Administrator account for the domain.

Configure the Federation Service for A. Datum Corporation

This section includes the following procedures:

  • Configure the A. Datum trust policy

  • Create a group claim for the claims-aware application

  • Add and configure an AD DS account store

Configure the A. Datum trust policy

Use the following procedure on the adfsaccount computer to configure the trust policy for the Federation Service for A. Datum Corporation.

To configure the trust policy

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. In the console tree, double-click Federation Service, right-click Trust Policy, and then click Properties.

  3. On the General tab, in Federation Service URI, type urn:federation:adatum.

Note

This value is case sensitive.

  1. In the Federation Service endpoint URL text box, verify that https://adfsaccount.adatum.com/adfs/ls/ appears.

  2. On the Display Name tab, in Display name for this trust policy, type A. Datum (replace any value that may already exist in this field with A. Datum), and then click OK.

Create a group claim for the claims-aware application

Use the following procedure to create a group claim that will be used to authenticate to the treyresearch.net forest.

To create a group claim for the claims-aware application

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click My Organization, right-click Organization Claims, point to New, and then click Organization Claim.

  3. In the Create a New Organization Claim dialog box, in Claim name, type Trey ClaimApp Claim.

  4. Ensure that Group claim is selected, and then click OK.

Add and configure an AD DS account store

Use the following procedures to add an AD DS account store to the Federation Service for A. Datum Corporation.

  • Add an AD DS account store

  • Map a global group to the group claim for the claims-aware application

Add an AD DS account store

Use the following procedure to add an AD DS account store.

To add an AD DS account store

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click My Organization, right-click Account Stores, point to New, and then click Account Store.

  3. On the Welcome to the Add Account Store Wizard page, click Next.

  4. On the Account Store Type page, ensure that Active Directory Domain Services is selected, and then click Next.

Note

You can have only one AD DS store that is associated with a Federation Service. If the AD DS option is not available, an AD DS store has already been created for this Federation Service.

  1. On the Enable this Account Store page, ensure that the Enable this account store check box is selected, and then click Next.

  2. On the Completing the Add Account Store Wizard page, click Finish.

Map a global group to the group claim for the claims-aware application

Use the following procedure to map an AD DS global group to the Trey ClaimApp Claim group claim.

To map a global group to the group claim for the claims-aware application

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click My Organization, double-click Account Stores, right-click Active Directory, point to New, and then click Group Claim Extraction.

  3. In the Create a New Group Claim Extraction dialog box, click Add, type treyclaimappusers, and then click OK.

  4. Ensure that the Map to this Organization Claim menu displays Trey ClaimApp Claim, and then click OK.

Configure the Federation Service for Trey Research

This section includes the following procedures:

  • Configure the Trey Research trust policy

  • Create a group claim for the claims-aware application

  • Add an AD DS account store

  • Add and configure a claims-aware application

Configure the Trey Research trust policy

Use the following procedure on the adfsresource computer to configure the trust policy for the Federation Service in Trey Research.

To configure the Trey Research trust policy

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. In the console tree, double-click Federation Service, right-click Trust Policy, and then click Properties.

  3. On the General tab, in Federation Service URI, type urn:federation:treyresearch.

Note

This value is case sensitive.

  1. In the Federation Service endpoint URL text box, verify that https://adfsresource.treyresearch.net/adfs/ls/ appears.

  2. On the Display Name tab, in Display name for this trust policy, type Trey Research (replace any value that may already exist in this field with Trey Research), and then click OK.

Create a group claim for the claims-aware application

Use the following procedure to create a group claim that will be used to make authorization decisions for the sample claims-aware application on behalf of users in the adatum.com forest.

To create a group claim for the claims-aware application

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click My Organization, right-click Organization Claims, point to New, and then click Organization Claim.

  3. In the Create a New Organization Claim dialog box, in Claim name, type Adatum ClaimApp Claim.

  4. Ensure that Group claim is selected, and then click OK.

Add an AD DS account store

Use the following procedure to add an AD DS account store to the Federation Service for Trey Research.

To add an AD DS account store

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click My Organization, right-click Account Stores, point to New, and then click Account Store.

  3. On the Welcome to the Add Account Store Wizard page, click Next.

  4. On the Account Store Type page, ensure that Active Directory Domain Services is selected, and then click Next.

  5. On the Enable this Account Store page, ensure that the Enable this account store check box is selected, and then click Next.

  6. On the Completing the Add Account Store Wizard page, click Finish.

Add and configure a claims-aware application

Use the following procedures on the adfsresource computer to add a claims-aware application to the Federation Service for Trey Research.

  • Add a claims-aware application

  • Enable Adatum ClaimApp Claim

Add a claims-aware application

Use the following procedure to add a claims-aware application to the Federation Service.

To add a claims-aware application

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click My Organization, right-click Applications, point to New, and then click Application.

  3. On the Welcome to the Add Application Wizard page, click Next.

  4. On the Application Type page, click Claims-aware application, and then click Next.

  5. On the Application Details page, in Application display name, type Claims-aware Application.

  6. In Application URL, type https://adfsweb.treyresearch.net/claimapp/, and then click Next.

  7. On the Accepted Identity Claims page, click User principal name (UPN), and then click Next.

  8. On the Enable this Application page, ensure that the Enable this application check box is selected, and then click Next.

  9. On the Completing the Add Application Wizard page, click Finish.

Enable Adatum ClaimApp Claim

Now that the Federation Service recognizes the application, use the following procedure to enable the Adatum ClaimApp Claim group claim for that application.

To enable Adatum ClaimApp Claim

  1. In the Applications folder, click Claims-aware Application.

  2. Right-click Adatum ClaimApp Claim, and then click Enable.

Creating both sides of the federated trust using import and export functionality

Creating federated trusts between partner organizations is easier in Windows Server 2008 than it was in earlier Windows operating systems because of enhanced policy-based export and import functionality. In this section, you use this import and export functionality to exchange policy files between the A. Datum and Trey Research organizations to successfully create the federated trust.

For more information about how this import and export functionality works, see Active Directory Federation Services Role (https://go.microsoft.com/fwlink/?LinkId=104518).

This section includes the following procedures:

  • Export the trust policy from A. Datum

  • Import the A. Datum trust policy to Trey Research

  • Create a claim mapping in Trey Research

  • Export the partner policy from Trey Research

  • Import the Trey Research partner policy to A. Datum

Export the trust policy from A. Datum

On the adfsaccount computer at A. Datum, use the following procedure to export the trust policy data that you use in the next procedure to create one side of the federation trust relationship between A. Datum and Trey Research.

Export the trust policy from A. Datum

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, right-click Trust Policy, and then click Export Basic Partner Policy.

  3. In the Export Basic Partner Policy dialog box, click Browse, in File name type c:\adfsaccount, click Save, and then click OK.

Note

If this were an actual AD FS production environment, the administrator in A. Datum would now send the exported policy file to the resource partner administrator at Trey Research by e-mail or other means.

Import the A. Datum trust policy to Trey Research

On the adfsresource computer at Trey Research, use the following procedure to import the A. Datum trust policy data that you must have to finish creating the first side of the federation trust and to add A. Datum as an account partner to the Trey Research trust policy.

Import the A. Datum trust policy to Trey Research

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click Partner Organizations, right-click Account Partners, point to New, and then click Account Partner.

  3. On the Welcome to the Add Account Partner Wizard page, click Next.

  4. On the Import Policy File page, under Partner interoperability policy file type \\adfsaccount\c$\adfsaccount.xml, click Yes, and then click Next.

  5. On the Account Partner Details page, ensure that:

  6. On the Account Partner Verification Certificate page, ensure that Use the verification certificate in the import policy file is selected, and then click Next.

  7. On the Federation Scenario page, ensure that Federated Web SSO is selected, and then click Next.

  8. On the Account Partner Identity Claims page, ensure that the UPN Claim and E-mail Claim check boxes are selected, and then click Next.

  9. On the Accepted UPN Suffixes page, type adatum.com, click Add, and then click Next.

  10. On the Accepted E-mail Suffixes page, type adatum.com, click Add, and then click Next.

  11. On the Enable this Account Partner page, ensure that the Enable this account partner check box is selected, and then click Next.

  12. On the Completing the Add Account Partner Wizard page, click Finish.

Create a claim mapping in Trey Research

On the adfsresource computer at Trey Research, use the following procedure to create an incoming group claim mapping to use for the sample claims-aware application. In the next procedure, you export this claim mapping to A. Datum along with other policy data that is relevant to creating this federated trust relationship.

Note

At A. Datum, when you import the policy data from Trey Research, you will be prompted to automatically create an outgoing group claim mapping based on the name of the incoming group claim mapping you create in this procedure (ClaimAppMapping). Following this part of the import process helps prevent typographical errors that can occur if you do not to use the import and export process.

Create a claim mapping in Trey Research

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click Partner Organizations, double-click Account Partners, right-click A. Datum, point to New, and then click Incoming Group Claim Mapping.

  3. In the Create a New Incoming Group Claim Mapping dialog box, in Incoming group claim name, type ClaimAppMapping.

Note

This value is case sensitive. It must match exactlythe value that you specified in the outgoing group claim mapping in the account partner organization, A. Datum.

  1. In Organization group claim, select Adatum ClaimApp Claim, and then click OK.

Export the partner policy from Trey Research

On the adfsresource computer at Trey Research, use the following procedure to export the Trey Research partner policy data to use in the next procedure to create the second side of the federation trust relationship.

Export the partner policy from Trey Research

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click Partner Organizations, double-click Account Partner, right-click A. Datum, and then click Export Policy.

  3. In the Export Partner Policy dialog box, click Browse, in File name type c:\adfsresource, click Save, and then click OK.

Note

If this were an actual AD FS production environment, the administrator in Trey Research would now send the exported partner policy file to the account partner administrator by e-mail or other means.

Import the Trey Research partner policy to A. Datum

On the adfsaccount computer at A. Datum, use the following procedure to import the Trey Research partner policy data that you must have to finish creating the second side of the federation trust and to add Trey Research as a resource partner to the A. Datum trust policy.

Import the Trey Research partner policy to A. Datum

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click Partner Organizations, right-click Resource Partners, point to New, and then click Resource Partner.

  3. On the Welcome to the Add Resource Partner Wizard page, click Next.

  4. On the Import Policy File page, click Yes, under Partner interoperability policy file type \\adfsresource\c$\adfsresource.xml, and then click Next.

  5. On the Resource Partner Details page, ensure that:

  6. On the Account Partner Verification Certificate page, ensure that Use the verification certificate in the import policy file is selected, and then click Next.

  7. On the Federation Scenario page, ensure that Federated Web SSO is selected, and then click Next.

  8. On the Resource Partner Identity Claims page, ensure that the UPN Claim and E-mail Claim check boxes are selected, and then click Next.

  9. On the Select UPN Suffix page, ensure that Replace all UPN suffixes with the following displays adatum.com, and then click Next.

  10. On the Select E-mail Suffix page, ensure that Replace all E-mail suffixes with displays adatum.com, and then click Next.

  11. On the Map Claim Transformations page, under Mapping select Trey ClaimApp Claim, and then click Next.

  12. On the Enable this Resource Partner page, ensure that the Enable this resource partner check box is selected, and then click Next.

  13. On the Completing the Add Resource Partner Wizard page, click Finish.