Migrate an Application to a Relying Party Trust in the AD FS 2.0 Federation Service
Applies To: Active Directory Federation Services (AD FS) 2.0
Migrate an Application to Relying Party Trusts in AD FS 2.0
You can use the procedures in the following steps to record and then migrate the application settings in the Active Directory Federation Services (AD FS) 1. x Federation Service that are pertinent to a successful migration to relying party trusts in the AD FS 2.0 Federation Service. A relying party trust, as referred to in the AD FS 2.0 Management snap-in, is the equivalent to an application in AD FS 1.x.
When you finish all the steps in this procedure, repeat steps 1 through 5 again for each application that appears in the AD FS 1.x Federation Service, until all applications have been migrated to equivalent relying party trusts in the AD FS 2.0 Federation Service.
To complete these procedures, you must be a member of the Administrators group on the local computer.
Step 1: Document the application settings in the AD FS 1.x Federation Service
You can use this step to record the settings that are necessary for migrating each application to a relying party trust in AD FS 2.0. In a later procedure, you will use the information that you enter in this table to populate the equivalent fields in the properties of the AD FS 2.0 Federation Service.
Note
All the settings in the following table below are required for the successful migration of the application to AD FS 2.0.
Table 1.0
| Step | Locate the application setting in the AD FS snap-in | Record the application setting value here | Displays the equivalent setting and page in the Add Relying Party Trust Wizard in the AD FS 2.0 Management snap-in |
|---|---|---|---|
1 |
Setting: Display name Found under: Federation Service\Trust Policy\My Organization\Application Properties\General Tab\ |
Setting: Display name Found on this wizard page: Specify Display Name |
|
2 |
Setting: Application URL Found under: Federation Service\Trust Policy\My Organization\Application Properties\General Tab\ |
Setting: WS-Federation Passive URL Found under: Configure URL |
Step 2: Migrate an application to a relying party trust in the AD FS 2.0 Federation Service
You can use this step to create a relying party trust in the AD FS 2.0 Federation Service by using the values of the settings that you entered for this application in table 1.0.
On the AD FS 2.0 federation server, click Start, point to Programs, point to Administrative Tools, and then click AD FS 2.0 Management.
Under the AD FS 2.0\Trust Relationships, right-click Relying Party Trusts, and then click Add Relying Party Trust to open the Add Relying Party Trust Wizard.
On the Welcome page, click Start.
On the Select Data Source page, click Enter data about the relying party manually, and then click Next.
On the Specify Display Name page, under Display name, type the value that you recorded in table 1.0 for the Display Name setting, under Notes type a description for this relying party trust, and then click Next.
On the Choose Profile page, click the AD FS 1.0 and 1.1 profile, and then click Next.
On the Configure URL page, under WS-Federation Passive URL, type the value that you recorded in table 1.0 for the Application URL setting, and then click Next.
On the Configure Identifiers page, under Relying party trust identifier, specify the return URL for the application, and then click Next to save your relying party trust information.
On the Choose Issuance Authorization Rules page, choose the appropriate authorization setting, depending on your organization’s needs, and then click Next.
On the Ready to Add Trust page, click Next to save your relying party trust information.
On the Finish page, click Close. This action automatically displays the Edit Claim Rules dialog box that is associated with this new relying party trust.
At this point, leave the Edit Claim Rules dialog box open on the AD FS 2.0 federation server. You will need it in step 4 to configure claim rules that are equivalent to the claim mapping that you have associated with the application that you are migrating from in AD FS 1.x.
Step 3: Document the claim mappings that are associated with the application in the AD FS 1.x Federation Service
You will have to document each claim mapping that is enabled for the application. In the next procedure, use the information that you type in the following table to populate the equivalent fields that will be in the claim rule dialog box.
Before you enter this information into the table, you will have to navigate to the following location in the AD FS 1.x snap-in to locate the claim mappings. Make sure to only enter the claim mappings that are enabled.
Navigate to Federation Service\Trust Policy\My Organization\Applications, and then click the application that you are migrating.
Table 1.1
| Record the claim mappings that are enabled for this application (one per row) | Provide a description of the claim mappings |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Step 4: Migrate claim mappings to a relying party trust in the AD FS 2.0 Federation Service
You can use these procedures on the AD FS 2.0 federation server to create a claim rule for each corresponding claim mapping that you recorded in table 1.1. These procedures show how to create the common claim rules based on the following common claim types:
E-mail
UPN
Common Name
Group
Migrate an E-mail claim mapping
In the Edit Claim Rules dialog box, select one the following tabs, depending on which rule set you want to create this rule in, and then click Add Rule to start the rule wizard that is associated with that rule set:
Issuance Transform Rules
Issuance Authorization Rules
Delegation Authorization Rules
On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim in the list, and then click Next.
On the Configure Rule page:
Under Claim rule name, type a display name for this rule.
In Incoming claim type, select AD FS 1.x E-mail Address in the list.
In Outgoing claim type, select AD FS 1.x E-mail Address in the list.
Select Pass through all claim values.
Click Finish.
In the Edit Claim Rules dialog box, click OK to save the rule to this rule set.
Migrate a UPN claim mapping
In the Edit Claim Rules dialog box, click Add Rule to start the rule wizard again.
On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim in the list, and then click Next.
On the Configure Rule page:
Under Claim rule name, type a display name for this rule.
In Incoming claim type, select UPN in the list.
In Outgoing claim type, select UPN in the list.
Select Pass through all claim values.
Click Finish.
In the Edit Claim Rules dialog box, click OK to save the rule to this rule set.
Migrate a Common Name claim mapping
In the Edit Claim Rules dialog box, click Add Rule to start the rule wizard again.
On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim in the list, and then click Next.
On the Configure Rule page:
Under Claim rule name, type a display name for this rule.
In Incoming claim type, select Common Name in the list.
In Outgoing claim type, select Common Name in the list.
Select Pass through all claim values.
Click Finish.
In the Edit Claim Rules dialog box, click OK to save the rule to this rule set.
Migrate a Group claim mapping
In the Edit Claim Rules dialog box, click Add Rule to start the rule wizard again.
On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim in the list, and then click Next.
On the Configure Rule page:
Under Claim rule name, type a display name for this rule.
In Incoming claim type, select Group from the list.
In Outgoing claim type, select Group from the list.
Select Replace an incoming claim value with a different outgoing claim value.
In Incoming claim value, type the name of the group (for example, temps), and, in Outgoing claim value, type the name of the new group (for example, vendors).
Click Finish.
In the Edit Claim Rules dialog box, click OK to save the rule to this rule set.