Migrate a Resource Partner to a Relying Provider Trust in the AD FS 2.0 Federation Service

  • Article

Applies To: Active Directory Federation Services (AD FS) 2.0

Migrate a Resource Partner to a Relying Party Trust in the AD FS 2.0 Federation Service

You can use the procedures along in the following steps to record and then migrate the resource partner settings in the Active Directory Federation Services (AD FS) 1.x Federation Service that are pertinent to a successful migration to relying party trusts in the AD FS 2.0 Federation Service. A relying party trust, as referred to in the AD FS 2.0 Management snap-in, is the equivalent to the resource partner trust in AD FS 1.x.

When you finish all the steps in this procedure, repeat steps 1 through 5 again for each resource partner trust that appears in the AD FS 1.x Federation Service, until all trust settings have been migrated to equivalent relying party trusts in the AD FS 2.0 Federation Service.

To complete this procedure, you must be a member of the Administrators group on the local computer.

Step 1: Document the resource partner settings in the AD FS 1.x Federation Service

You can use this step to record the settings that are necessary for migrating each resource partner to a relying party trust in AD FS 2.0. In a later procedure, you will use the information that you enter in this table to populate the equivalent fields in the AD FS 2.0 Federation Service properties.

Note

All settings in the following table are required for the successful migration of the resource partner trust to AD FS 2.0.

Table 1.0

Step Locate the resource partner trust setting in the AD FS snap-in Record the resource partner trust setting value here Displays the equivalent setting and page in the Add Relying Party Trust Wizard in the AD FS 2.0 Management snap-in

1

Setting:

Display name

Found under:

Federation Service\Trust Policy\Partner Organizations\Resource Partner Trust Properties\General Tab\

Setting:

Display name

Found on this wizard page:

Specify Display Name

2

Setting:

Federation Service URI

Found under:

Federation Service\Trust Policy\Partner Organizations\Resource Partner Trust Properties\General Tab\

Setting:

Relying party trust identifier

Found on this wizard page:

Configure Identifiers

3

Setting:

Federation Service endpoint URL

Found under:

Federation Service\Trust Policy\Partner Organizations\Resource Partner Trust Properties\General Tab\

Setting:

WS-Federation Passive URL

Found under:

Configure URL

Step 2: Migrate a resource partner to a relying party trust in the AD FS 2.0 Federation Service

You can use this step to create a relying party trust in the AD FS 2.0 Federation Service by using the values of the settings that you entered for this resource partner trust in table 1.0.

  1. On the AD FS 2.0 federation server, click Start, point to Programs, point to Administrative Tools, and then click AD FS 2.0 Management.

  2. Under the AD FS 2.0\Trust Relationships, right-click Relying Party Trusts, and then click Add Relying Party Trust to open the Add Relying Party Trust Wizard.

  3. On the Welcome page, click Start.

  4. On the Select Data Source page, click Enter data about the relying party manually, and then click Next.

  5. On the Specify Display Name page, under Display name, type the value that you recorded in table 1.0 above for the Display Name setting, under Notes type a description for this relying party trust, and then click Next.

  6. On the Choose Profile page, click the AD FS 1.0 and 1.1 profile, and then click Next.

  7. On the Configure URL page, under WS-Federation Passive URL, type the value that you recorded in table 1.0 for the Federation Service endpoint URL setting, and then click Next.

  8. On the Configure Identifiers page, under Relying party trust identifier, type the value that you recorded in table 1.0 for the Federation Service URI setting, click Add, and then click Next to save your relying party trust information.

  9. On the Choose Issuance Authorization Rules page, select the appropriate authorization setting, depending on your organization’s needs, and then click Next.

  10. On the Ready to Add Trust page, click Next to save your relying party trust information.

  11. On the Finish page, click Close. This action automatically displays the Edit Claim Rules dialog box that is associated with this new relying party trust.

    At this point, leave the Edit Claim Rules dialog box open on the AD FS 2.0 federation server. You will need it in step 4 to configure claim rules that are equivalent to the claim mapping that you have associated with the resource partner trust that you are migrating from in AD FS 1.x.

Step 3: Document the claim mappings that are associated with the resource partner trust in the AD FS 1.x Federation Service

You will have to document each claim mapping that is enabled for the resource partner trust. In the next procedure, you will use the information that you type in the following table to populate the equivalent fields that will be in the claim rule dialog box.

Before you enter this information into the table, navigate to the following location in the AD FS 1.x snap-in to locate the claim mappings. Make sure to enter only the claim mappings that are enabled.

Navigate to Federation Service\Trust Policy\Partner Organizations\Resource Partners, and then click the resource partner trust that you are migrating.

Table 1.1

Record the claim mappings that are enabled for this resource partner (one per row) Provide a description of the claim mappings

Step 4: Migrate claim mappings to a relying party trust in the AD FS 2.0 Federation Service

You can use these procedures on the AD FS 2.0 federation server to create a claim rule for each corresponding claim mapping that you recorded in table 1.1. These procedures show how to create the common claim rules based on the following common claim types:

  • E-mail

  • UPN

  • Common Name

  • Group

Migrate an E-mail claim mapping

  1. In the Edit Claim Rules dialog box, select one the following tabs, depending on which rule set you want to create this rule in, and then click Add Rule to start the rule wizard that is associated with that rule set:

    • Issuance Transform Rules

    • Issuance Authorization Rules

    • Delegation Authorization Rules

  2. On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim in the list, and then click Next.

  3. On the Configure Rule page:

    • Under Claim rule name, type a display name for this rule.

    • In Incoming claim type, select AD FS 1.x E-mail Address in the list.

    • In Outgoing claim type, select AD FS 1.x E-mail Address in the list.

  4. Select Pass through all claim values.

  5. Click Finish.

  6. In the Edit Claim Rules dialog box, click OK to save the rule to this rule set.

Migrate a UPN claim mapping

  1. In the Edit Claim Rules dialog box, click Add Rule to start the rule wizard again.

  2. On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim in the list, and then click Next.

  3. On the Configure Rule page:

    • Under Claim rule name, type a display name for this rule.

    • In Incoming claim type, select UPN in the list.

    • In Outgoing claim type, select UPN in the list.

  4. Select Pass through all claim values.

  5. Click Finish.

  6. In the Edit Claim Rules dialog box, click OK to save the rule to this rule set.

Migrate a Common Name claim mapping

  1. In the Edit Claim Rules dialog box, click Add Rule to start the rule wizard again.

  2. On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim in the list, and then click Next.

  3. On the Configure Rule page:

    • Under Claim rule name, type a display name for this rule.

    • In Incoming claim type, select Common Name in the list.

    • In Outgoing claim type, select Common Name in the list.

  4. Select Pass through all claim values.

  5. Click Finish.

  6. In the Edit Claim Rules dialog box, click OK to save the rule to this rule set.

Migrate a Group claim mapping

  1. In the Edit Claim Rules dialog box, click Add Rule to start the rule wizard again.

  2. On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim in the list, and then click Next.

  3. On the Configure Rule page:

    • Under Claim rule name, type a display name for this rule,

    • In Incoming claim type, select Group in the list.

    • In Outgoing claim type, select Group in the list.

  4. Select Replace an incoming claim value with a different outgoing claim value.

  5. In Incoming claim value, type the name of the group (for example, temps), and in Outgoing claim value, type the name of the new group (for example, vendors).

  6. Click Finish.

  7. In the Edit Claim Rules dialog box, click OK to save the rule to this rule set.