Step 3: Configure the Contoso federation server to issue tokens to the SharePoint site

Applies To: Active Directory Federation Services (AD FS) 2.0

Step 3: Configure the Contoso federation server to issue tokens to the SharePoint site

In this step, we configure the federation server in the Contoso domain to issue tokens to the SharePoint site. That is, we add the SharePoint site as the relying party. We also configure the Contoso federation server to use Active Directory as the source of role and user information.

To add the SharePoint site as a relying party for the Contoso federation server

1. Log on to the CONTOSOSRV01 computer as CONTOSO\Administrator with "demo!23" as the user password.

2. Open the AD FS 2.0 Management console. On the Start menu, click Administrative Tools, and then click AD FS 2.0 Management.

3. After the snap-in is loaded, in the right pane, Required: Add a trusted relying party.

   

4. The Add Relying Party Wizard opens, as shown in the following illustration. Click Start to begin adding the SharePoint site as a relying party.

   

5. On the Select Data Source page, keep the default option selected, and then type the following URL:
   https://docs.contoso.com/\_LAYOUTS/images/443/federationmetadata/2007-06/federationmetadata.xml.

   This is the location where the SharePoint federation metadata file is located, which was produced when we ran the tool on the ContosoSrv02 server.

   

6. Click Next to go to the Specify Display Name page, where you can enter a display name for the SharePoint site. Type SharePoint Docs Site on Contoso, and then click Next.

7. On the Choose Issuance Authorization Rules, keep the default option selected, and then click Next.

8. Click Next, and then click Close to finish adding the SharePoint site as a relying party and start the Rules Editor to configure which claims will be sent to the SharePoint site.

Now that we have added the SharePoint Site as a relying party, we configure the claims to send to it.

To configure the claims to be sent to the SharePoint site

1. In the Rules Editor, click Add Rule.

   

2. In the Select Rule Template page, keep the default option Send LDAP Attributes as Claims selected, and then click Next.

3. On the Configuration Rule page, type Outgoing Name and Role Claim for SharePoint in the Claim rule Name field. For the Attribute store, select Active Directory. In the LDAP Attribute column, select E-Mail-Addresses for the outgoing Name claim, Token-Groups – Unqualified Names for the Role claim, and E-Mail-Addresses for the outgoing E-mail Address claim, and then click Finish.

   

4. Click OK to close the Rules Editor.