Step 5: Configure the Contoso federation server to accept tokens from the Fabrikam federation server

  • Article

Applies To: Active Directory Federation Services (AD FS) 2.0

Step 5: Configure the Contoso federation server to accept tokens from the Fabrikam federation server

In this step, we configure the federation server at Contoso to trust the federation server at Fabrikam and accept security authorizations from it. To this we add a claims provider trust for the Fabrikam federation server at the Contoso federation server. We also configure the federation server at Contoso to accept claims only if the values presented meet with certain restrictions.

To add the Fabrikam federation server as a claims provider at the Contoso federation server

  1. Log on to the CONTOSOSRV01 computer as CONTOSO\Administrator with "demo!23" as the user password.

  2. Open the AD FS 2.0 Management console.

    On the Start menu, click Administrative Tools, and then click AD FS 2.0 Management.

  3. After the AD FS 2.0 console is loaded, expand Trust Relationships. Click Claims Provider Trust, and then, in the Actions pane, click Add Claims Provider Trust.

  4. The Add Identity Provider Wizard opens. Click Start to begin the wizard.

  5. On the Choose Data Source page, click Import identity provider configuration from federation metadata on the network. For Federation metadata URL or host name, type sts2.fabrikam.com, and then click Next.

  6. On the next page, type a name for the identity provider (Fabrikam Identity Provider), and then click Next.

  7. Click Next on the screen that appears, and then click Close when the wizard finishes saving the policy.

    When the wizard exits, the Rules Editor opens and we can specify which claims (and the values for those claims) to accept from the Fabrikam federation server. In the Rules Editor, we are going to add two new rules. In the first rule, we will only pass through the email claim if it ends with "@fabrikam". For the second rule, we will only pass through the Role claim if it has a value of "DrugTrial1Auditors".

To configure the claims acceptance policy for the Fabrikam identity provider

  1. In the Rules Editor, click Add Rule.

  2. In the Select Rule Template window, click Pass Through or Filter an Incoming Claim for the Claim rule template, and then click Next.

  3. For the Claim rule name, type Email Filter. For the Incoming Claim Type, select E-Mail Address, and then click Pass through only claims values that match a specific email suffix value. For Email suffix value, type fabrikam.com, as shown in the following illustration, and then click Finish.

  4. For the second rule, click Add Rule.

  5. In the Select Rule Template window, select Pass Through or Filter an Incoming Claim for the Claim rule template, and then click Next.

  6. For the Claim rule name, type Role Filter. For the Incoming Claim Type, select Role, and then click Pass through only a specific claims value. For Incoming claim value, type DrugTrial1Auditors, as shown in the following illustration, and then click Finish.

  7. Click OK to exit the claims editor.

We now go back and update the relying party policy of Contoso that specifies how to transfer the incoming claims to the outgoing claims.

To update the claims issuance policy for the SharePoint site on the Contoso federation server

  1. In the AD FS 2.0 Management console, in the console tree, expand Trust Relationships, and then click Relying Party Trusts.

  2. In the details pane, click SharePoint Docs Site on Contoso.

  3. On the Action menu, click Edit Claim Rules.

  4. In the Rules Editor, we add two new rules. In the first rule, we are just going to pass through the Role claim. Click Add Rule.

  5. On the Select Rule Template page, click Pass Through or Filter an Incoming Claim for Claim rule template, and then click Next.

  6. For the Claim rule name, type Role pass through, select Role for Incoming claim type, and then click Finish. Click Yes in the dialog box that appears.

    We now add the second rule to transform the incoming e-mail claim, from Fabrikam, to a name claim that the SharePoint site is expecting.

  7. Click Add Rule.

  8. On the Select Rule Template page, click Transform an Incoming Claim for Claim rule template, and then click Next.

  9. For the Claim rule name, type Email to Name transform, for Incoming claim type, select E-Mail Address, and for Outgoing claim type, select Name. Keep the default options selected, and click Finish. Click Yes in the dialog box that appears.

  10. Click OK to exit the Rules Editor.