Share via


Add a New Account Partner by Importing an Existing Policy File

Applies To: Windows Server 2008

If you have received an exported Active Directory Federation Services (AD FS) policy file from the account partner organization, perform the following procedure on a resource federation server to automatically configure the new account partner by importing the policy file.

Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To add a new account partner by importing an existing policy file

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. In the console tree, double-click Federation Service, double-click Trust Policy, and then double-click Partner Organizations.

  3. Right-click Account Partners, point to New, and then click Account Partner.

  4. On the Welcome to the Add Account Partner Wizard page, click Next.

  5. On the Import Policy File page, click Yes. In Partner interoperability policy file, type or browse to the policy file that you want to import, and then click Open.

  6. On the Account Partner Details page, review the Account Partners predefined settings, and then click Next.

  7. On the Account Partner Verification Certificate page, select Use the verification certificate in the import policy file, and then click Next.

  8. On the Federation Scenario page, do one of the following, and then click Next:

    • If you are establishing a federated trust with an account partner organization and you do not want to use an existing forest trust, click Federated Web SSO, and then go to step 10.

    • If you are establishing a federated trust within the same organization when both sides already share a forest trust, click Federated Web SSO with Forest Trust.

  9. On the Federated Web SSO with Forest Trust page, do one of the following, and then click Next:

    • To accept users in all domains that are trusted by the account partner, click All AD DS domains and forests. Any user that can authenticate to the account partner will be accepted.

    • To accept user accounts that are located in some of the domains that are trusted by the account partner, click The following AD DS domains and forests. Then, in New, trusted AD DS domain or forest, type the name of a domain or forest, and then click Add. Only users from the specified domains will be accepted. If you need to remove a domain or forest, click Remove.

  10. On the Account Partner Identity Claims page, select one or more identity claims to share with the resource partner, and then click Next:

    • If the resource partner requires user principal name (UPN) claims to make authorization decisions, select the UPN Claim check box.

Important

When UPN claims or e-mail claims are used to make authorization decisions, it is essential that each account partner use a unique UPN suffix or e-mail suffix. If two account partners use the same UPN suffix or e-mail suffix, it might not be possible to uniquely identify users. This condition might allow a user from one account partner to receive the permissions that are intended for a user in another account partner. This condition might also introduce a significant security weakness because an administrator can intentionally create user accounts to impersonate users from one of your other account partners.

Note

If you selected the Federated Web SSO with Forest Trust scenario, the UPN Claim option is selected and not configurable because UPN claims are required for this scenario.

  - If the resource partner requires e-mail claims to make authorization decisions, select the **E-mail Claim** check box.

  - If the resource partner requires common name claims to make authorization decisions, select the **Common Name Claim** check box.
  1. If you selected UPN Claim as an identity claim, on the Accepted UPN Suffixes page, type the accepted suffix, click Add, and then click Next. You may click to accept All UPN suffixes if you selected the Federation Web SSO with Forest Trust option.

  2. If you selected E-mail Claim as an identity claim, on the Accepted E-mail Suffixes page, type the accepted suffix, click Add, and then click Next. You may click to accept All E-mail suffixes if you selected the Federation Web SSO with Forest Trust option.

Note

Common name claims require no additional information.

  1. On the Enable this Account Partner page, if you do not want to enable the account partner now, clear the Enable this account partner check box, and then click Next.

  2. To add the new account partner and close the wizard, click Finish.

Additional references

Checklist: Configuring Both Sides of a Federated Trust Using Export/Import