Checklist: Configuring AD FS to Consume Claims from AD FS 1.x

Checklist: Configuring AD FS to consume claims from AD FS 1.x

This checklist includes the tasks that are necessary for configuring your Active Directory Federation Services (AD FS) Federation Service in Windows Server 2012 to consume claims that are sent by an AD FS 1.x Federation Service.

Note

Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.

Check mark icon, Configure AD FS to consume claims.Checklist: Configuring AD FS to consume claims from AD FS 1.x

Task Reference
Plan for interoperability between AD FS in Windows Server 2012 and previous versions of AD FS, and learn more about the Name ID claim type. Icon, Plan for interoperability with AD FS 1.x.Planning for Interoperability with AD FS 1.x
Before you can interoperate with a previous version of AD FS, you must first create a claims provider trust in the AD FS Federation Service. Note: You cannot create a trust with an AD FS 1.x Federation Service by using federation metadata.

When you set up the trust using the procedure in the link to the right, you must do the following in the Add Claims Provider Trust Wizard to set up this trust to interoperate with an AD FS 1.x Federation Service:

1. On the Select Data Source page, select Enter data about the relying party trust manually.
2. On the Choose Profile page, select AD FS 1.0 and 1.1 profile.
3. On the Configure URL page, under WS-Federation Passive URL, type the Federation Service endpoint URL as defined in the AD FS 1.x Federation Service of the partner.
4. On the Configure Identifiers page, under Claims provider trust identifier, type the Federation Service URI as defined in the AD FS 1.x Federation Service of the partner.

Icon, Create a claims provider trust manually,Create a Claims Provider Trust Manually
On the claims provider trust that you created earlier, you must create a claim rule that will take claims that are incoming from the AD FS 1.x Federation Service and pass through, filter, or transform them into a Name ID claim type.

When the Name ID claim type has been passed through, filtered, or transformed, it can be used as input to another rule or rules so that it can be understood and consumed by the AD FS Federation Service in Windows Server 2012 .

consume claims from AD FSCreate a Rule to Send an AD FS 1.x Compatible Claim
Contact the administrator of the AD FS 1.x Federation Service and have the administrator of the AD FS 1.x Federation Service set up a new resource partner trust. Also, provide that administrator with the Federation Service URI (in the Federation Service properties), the Federation Service endpoint URL, and an exported token-signing certificate file (with public key only). The administrator will need these items to set up the trust. N/A