Export (0) Print
Expand All

Step 4: Configuring the Federation Servers

Updated: November 15, 2007

Applies To: Windows Server 2008

Now that you have installed Active Directory Federation Services (AD FS) and you have configured the Web server for the sample claims-aware application, next you configure the Federation Service on the federation servers for both Trey Research and the A. Datum Corporation. In this step, you:

  • Make the Federation Service for Trey Research aware of the claims-aware application.

  • Add account stores and group claims to the appropriate Federation Service.

  • Configure each of the group claims so that they map to an Active Directory Domain Services (AD DS) group in the appropriate forest.

This step consists of the following tasks:

Administrative credentials

To perform all the procedures in this step, log on to the adfsaccount computer and the adfsresource computer with the Administrator account for the domain.

This section includes the following procedures:

Use the following procedure on the adfsaccount computer to configure the trust policy for the Federation Service for A. Datum Corporation.

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. In the console tree, double-click Federation Service, right-click Trust Policy, and then click Properties.

  3. On the General tab, in Federation Service URI, type urn:federation:adatum.

    noteNote
    This value is case sensitive.

  4. In the Federation Service endpoint URL text box, verify that https://adfsaccount.adatum.com/adfs/ls/ appears.

  5. On the Display Name tab, in Display name for this trust policy, type A. Datum (replace any value that may already exist in this field with A. Datum), and then click OK.

Use the following procedure to create a group claim that will be used to authenticate to the treyresearch.net forest.

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click My Organization, right-click Organization Claims, point to New, and then click Organization Claim.

  3. In the Create a New Organization Claim dialog box, in Claim name, type Trey ClaimApp Claim.

  4. Ensure that Group claim is selected, and then click OK.

Use the following procedures to add an AD DS account store to the Federation Service for A. Datum Corporation.

Use the following procedure to add an AD DS account store.

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click My Organization, right-click Account Stores, point to New, and then click Account Store.

  3. On the Welcome to the Add Account Store Wizard page, click Next.

  4. On the Account Store Type page, ensure that Active Directory Domain Services is selected, and then click Next.

    noteNote
    You can have only one AD DS store that is associated with a Federation Service. If the AD DS option is not available, an AD DS store has already been created for this Federation Service.

  5. On the Enable this Account Store page, ensure that the Enable this account store check box is selected, and then click Next.

  6. On the Completing the Add Account Store Wizard page, click Finish.

Use the following procedure to map an AD DS global group to the Trey ClaimApp Claim group claim.

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click My Organization, double-click Account Stores, right-click Active Directory, point to New, and then click Group Claim Extraction.

  3. In the Create a New Group Claim Extraction dialog box, click Add, type treyclaimappusers, and then click OK.

  4. Ensure that the Map to this Organization Claim menu displays Trey ClaimApp Claim, and then click OK.

This section includes the following procedures:

Use the following procedure on the adfsresource computer to configure the trust policy for the Federation Service in Trey Research.

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. In the console tree, double-click Federation Service, right-click Trust Policy, and then click Properties.

  3. On the General tab, in Federation Service URI, type urn:federation:treyresearch.

    noteNote
    This value is case sensitive.

  4. In the Federation Service endpoint URL text box, verify that https://adfsresource.treyresearch.net/adfs/ls/ appears.

  5. On the Display Name tab, in Display name for this trust policy, type Trey Research (replace any value that may already exist in this field with Trey Research), and then click OK.

Use the following procedure to create a group claim that will be used to make authorization decisions for the sample claims-aware application on behalf of users in the adatum.com forest.

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click My Organization, right-click Organization Claims, point to New, and then click Organization Claim.

  3. In the Create a New Organization Claim dialog box, in Claim name, type Adatum ClaimApp Claim.

  4. Ensure that Group claim is selected, and then click OK.

Use the following procedure to add an AD DS account store to the Federation Service for Trey Research.

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click My Organization, right-click Account Stores, point to New, and then click Account Store.

  3. On the Welcome to the Add Account Store Wizard page, click Next.

  4. On the Account Store Type page, ensure that Active Directory Domain Services is selected, and then click Next.

  5. On the Enable this Account Store page, ensure that the Enable this account store check box is selected, and then click Next.

  6. On the Completing the Add Account Store Wizard page, click Finish.

Use the following procedures on the adfsresource computer to add a claims-aware application to the Federation Service for Trey Research.

Use the following procedure to add a claims-aware application to the Federation Service.

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click My Organization, right-click Applications, point to New, and then click Application.

  3. On the Welcome to the Add Application Wizard page, click Next.

  4. On the Application Type page, click Claims-aware application, and then click Next.

  5. On the Application Details page, in Application display name, type Claims-aware Application.

  6. In Application URL, type https://adfsweb.treyresearch.net/claimapp/, and then click Next.

  7. On the Accepted Identity Claims page, click User principal name (UPN), and then click Next.

  8. On the Enable this Application page, ensure that the Enable this application check box is selected, and then click Next.

  9. On the Completing the Add Application Wizard page, click Finish.

Now that the Federation Service recognizes the application, use the following procedure to enable the Adatum ClaimApp Claim group claim for that application.

  1. In the Applications folder, click Claims-aware Application.

  2. Right-click Adatum ClaimApp Claim, and then click Enable.

Creating federated trusts between partner organizations is easier in Windows Server 2008 than it was in earlier Windows operating systems because of enhanced policy-based export and import functionality. In this section, you use this import and export functionality to exchange policy files between the A. Datum and Trey Research organizations to successfully create the federated trust.

For more information about how this import and export functionality works, see Active Directory Federation Services Role (http://go.microsoft.com/fwlink/?LinkId=104518).

This section includes the following procedures:

On the adfsaccount computer at A. Datum, use the following procedure to export the trust policy data that you use in the next procedure to create one side of the federation trust relationship between A. Datum and Trey Research.

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, right-click Trust Policy, and then click Export Basic Partner Policy.

  3. In the Export Basic Partner Policy dialog box, click Browse, in File name type c:\adfsaccount, click Save, and then click OK.

    noteNote
    If this were an actual AD FS production environment, the administrator in A. Datum would now send the exported policy file to the resource partner administrator at Trey Research by e-mail or other means.

On the adfsresource computer at Trey Research, use the following procedure to import the A. Datum trust policy data that you must have to finish creating the first side of the federation trust and to add A. Datum as an account partner to the Trey Research trust policy.

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click Partner Organizations, right-click Account Partners, point to New, and then click Account Partner.

  3. On the Welcome to the Add Account Partner Wizard page, click Next.

  4. On the Import Policy File page, under Partner interoperability policy file type \\adfsaccount\c$\adfsaccount.xml, click Yes, and then click Next.

  5. On the Account Partner Details page, ensure that:

    • Display name displays A. Datum.

    • Federation Service URI displays urn:federation:adatum.

    • Federation Service endpoint URL displays https://adfsaccount.adatum.com/adfs/ls/, and then click Next.

  6. On the Account Partner Verification Certificate page, ensure that Use the verification certificate in the import policy file is selected, and then click Next.

  7. On the Federation Scenario page, ensure that Federated Web SSO is selected, and then click Next.

  8. On the Account Partner Identity Claims page, ensure that the UPN Claim and E-mail Claim check boxes are selected, and then click Next.

  9. On the Accepted UPN Suffixes page, type adatum.com, click Add, and then click Next.

  10. On the Accepted E-mail Suffixes page, type adatum.com, click Add, and then click Next.

  11. On the Enable this Account Partner page, ensure that the Enable this account partner check box is selected, and then click Next.

  12. On the Completing the Add Account Partner Wizard page, click Finish.

On the adfsresource computer at Trey Research, use the following procedure to create an incoming group claim mapping to use for the sample claims-aware application. In the next procedure, you export this claim mapping to A. Datum along with other policy data that is relevant to creating this federated trust relationship.

noteNote
At A. Datum, when you import the policy data from Trey Research, you will be prompted to automatically create an outgoing group claim mapping based on the name of the incoming group claim mapping you create in this procedure (ClaimAppMapping). Following this part of the import process helps prevent typographical errors that can occur if you do not to use the import and export process.

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click Partner Organizations, double-click Account Partners, right-click A. Datum, point to New, and then click Incoming Group Claim Mapping.

  3. In the Create a New Incoming Group Claim Mapping dialog box, in Incoming group claim name, type ClaimAppMapping.

    noteNote
    This value is case sensitive. It must match exactlythe value that you specified in the outgoing group claim mapping in the account partner organization, A. Datum.

  4. In Organization group claim, select Adatum ClaimApp Claim, and then click OK.

On the adfsresource computer at Trey Research, use the following procedure to export the Trey Research partner policy data to use in the next procedure to create the second side of the federation trust relationship.

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click Partner Organizations, double-click Account Partner, right-click A. Datum, and then click Export Policy.

  3. In the Export Partner Policy dialog box, click Browse, in File name type c:\adfsresource, click Save, and then click OK.

    noteNote
    If this were an actual AD FS production environment, the administrator in Trey Research would now send the exported partner policy file to the account partner administrator by e-mail or other means.

On the adfsaccount computer at A. Datum, use the following procedure to import the Trey Research partner policy data that you must have to finish creating the second side of the federation trust and to add Trey Research as a resource partner to the A. Datum trust policy.

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click Partner Organizations, right-click Resource Partners, point to New, and then click Resource Partner.

  3. On the Welcome to the Add Resource Partner Wizard page, click Next.

  4. On the Import Policy File page, click Yes, under Partner interoperability policy file type \\adfsresource\c$\adfsresource.xml, and then click Next.

  5. On the Resource Partner Details page, ensure that:

    • Display name displays Trey Research.

    • Federation Service URI displays urn:federation:treyresearch

    • Federation Service endpoint URL displays https://adfsresource.treyresearch.net/adfs/ls/, and then click Next.

  6. On the Account Partner Verification Certificate page, ensure that Use the verification certificate in the import policy file is selected, and then click Next.

  7. On the Federation Scenario page, ensure that Federated Web SSO is selected, and then click Next.

  8. On the Resource Partner Identity Claims page, ensure that the UPN Claim and E-mail Claim check boxes are selected, and then click Next.

  9. On the Select UPN Suffix page, ensure that Replace all UPN suffixes with the following displays adatum.com, and then click Next.

  10. On the Select E-mail Suffix page, ensure that Replace all E-mail suffixes with displays adatum.com, and then click Next.

  11. On the Map Claim Transformations page, under Mapping select Trey ClaimApp Claim, and then click Next.

  12. On the Enable this Resource Partner page, ensure that the Enable this resource partner check box is selected, and then click Next.

  13. On the Completing the Add Resource Partner Wizard page, click Finish.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft