How to configure ADFS ( Active Directory Federation Services )

Start with Windows Server 2008 [R2] – Domain Joined




Create a friendly DNS name for ADFS and point it to your adfs server. (adfs.yourdomain.interalink.be)


·         Download and install ADFS 2.0. Federation Server role from below link. This will install all pre-requisites







·         In the IIS manager create an SSL certificate for your friendly DNS name or use SelfSSL from the IIS 6.0 resource kit to create a self-signed certificate



Give it a friendly name


·         Run through the ADFS Server configuration wizard

o     
o    Create a new federation Service






o    Stand-alone server


o    Select the certificate that you created for your friendly DNS name








·         Create an SPN for the DNS name so that Kerberos authentication between the browser and the ADFS IIS instance works correctly
setspn -a HTTP/adfs.yourdomain.interlink.be yourdomain\Administrator
setspn -a HTTP/adfs yourdomain\Administrator







In the ADFS 2.0 MMC snap-in select the certificates node and double click the token-signing certificate to Export Certificate
ADFS 2.0 Configuration
Open the ADFS 2.0 MMC snapin and add a new “Relying Party Trust”:






Select Data Source: Import data about a relying party from a file. Browse to metatada.xml you have

Display Name: Give the trust a display name
Choose Issuance Authorization Rules: Permit all users to access this relying party







Open Edit Claim Rues Dialog: Ticked





In the claim rules editor select the “Issuance Transform Rules” tab
Add a new rule:
Claim Rule Template: Send LDAP Attributes as Claims
Claim Rule Template: Send LDAP Attributes as Claims
Attribute Store: Active directory
·         LDAP Attribute: User Principal Name
·         Outgoing Claim Type: Name ID




Set the Secure hash algorithm to SHA1 instead of the default SHA-256. This is set in relying party trust properties under advanced.

Logout url
=> issue(Type = "logoutURL", Value = "http://www.yourdomain.eu", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified");





To enable access to Firefox and other browsers.



To turn Extended Protection off, on the AD FS server, launch IIS Manager, then, on the left side tree view, access Sites -> Default Web Site -> adfs -> ls. Once you’ve selected the "/adfs/ls" folder, double-click the Authentication icon, then right-click Windows Authentication and select Advanced Settings… On the Advanced Settings dialog, choose Off for Extended Protection.



Custom Rule for givenane, Surname and E-mail id.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "Givenname", "Surname", "E-mail ID"), query = ";userPrincipalName,givenName,sn,mail;{0}", param = c.Value);

Written by : Yogesh Dhingra






Comments

Popular posts from this blog

Say No to Easy Money

Places to Purchase Used Server