Export (0) Print
Expand All

Checklist: Configuring AD FS to Send Claims to an AD FS 1.x Federation Service

Published: February 24, 2012

Updated: February 24, 2012

Applies To: Windows Server 2012



This checklist includes the tasks that are necessary for configuring your Active Directory Federation Services (AD FS) Federation Service in Windows Server 2012 to send claims that can be understood by an AD FS 1.x Federation Service.

noteNote
Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.

Checklist Checklist: Configuring AD FS to send claims to an AD FS 1.x Federation Service

 

  Task Reference
Checkbox

Plan for interoperability between AD FS in Windows Server 2012 and previous versions of AD FS and learn more about the Name ID claim type.

Conceptual topic Planning for Interoperability with AD FS 1.x

Checkbox

Before you can achieve interoperability with a previous version of AD FS, you must first create a relying party trust in the AD FS Federation Service to the AD FS 1.x Federation Service.

noteNote
You cannot create a trust with an AD FS 1.x Federation Service by using federation metadata.

When you set up the trust using the procedure in the link to the right, you must do the following in the Add Relying Party Trust Wizard to set up this trust to interoperate with an AD FS 1.x Federation Service:

  1. On the Select Data Source page, select Enter data about the relying party trust manually.

  2. On the Choose Profile page, select AD FS 1.0 and 1.1 profile.

  3. On the Configure URL page, under WS-Federation Passive URL, type the Federation Service endpoint URL as defined in the AD FS 1.x Federation Service of the partner.

  4. On the Configure Identifiers page, under Relying part trust identifier, type the Federation Service URI as defined in the AD FS 1.x Federation Service of the partner.

Conceptual topic Create a Relying Party Trust Manually

Checkbox

On the relying party trust that you created earlier, you must create claim rules that will take incoming claims that were extracted from an attribute store and pass through, filter, or transform them into a Name ID claim type that can be understood and consumed by the AD FS 1.x Federation Service.

noteNote
Before you create this rule, make sure that the claim rule set where you are creating this rule has a rule that comes before it that first extracts a Lightweight Directory Access Protocol (LDAP) attribute claim from an attribute store. This claim will be used as input to the rule that you create to send an AD FS 1.x-compatible claim. For more information about how to create a rule to extract an LDAP attribute, see Create a Rule to Send LDAP Attributes as Claims.

Conceptual topic Create a Rule to Send an AD FS 1.x Compatible Claim

Checkbox

Contact the administrator of the AD FS 1.x Federation Service and have the administrator of the AD FS 1.x Federation Service set up a new account partner trust. Also, provide that administrator with the Federation Service URI (in the Federation Service properties), the WS-Federation Passive endpoint URL (the Federation Service endpoint URL), and an exported token-signing certificate file (with public key only). That administrator will need these items to set up the trust.

N/A

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft