How to configure ADFS ( Active Directory Federation Services )

Start with Windows Server 2008 [R2] – Domain Joined

Create a friendly DNS name for ADFS and point it to your adfs server. (

·         Download and install ADFS 2.0. Federation Server role from below link. This will install all pre-requisites

·         In the IIS manager create an SSL certificate for your friendly DNS name or use SelfSSL from the IIS 6.0 resource kit to create a self-signed certificate

Give it a friendly name

·         Run through the ADFS Server configuration wizard

o    Create a new federation Service

o    Stand-alone server

o    Select the certificate that you created for your friendly DNS name

·         Create an SPN for the DNS name so that Kerberos authentication between the browser and the ADFS IIS instance works correctly
setspn -a HTTP/ yourdomain\Administrator
setspn -a HTTP/adfs yourdomain\Administrator

In the ADFS 2.0 MMC snap-in select the certificates node and double click the token-signing certificate to Export Certificate
ADFS 2.0 Configuration
Open the ADFS 2.0 MMC snapin and add a new “Relying Party Trust”:

Select Data Source: Import data about a relying party from a file. Browse to metatada.xml you have

Display Name: Give the trust a display name
Choose Issuance Authorization Rules: Permit all users to access this relying party

Open Edit Claim Rues Dialog: Ticked

In the claim rules editor select the “Issuance Transform Rules” tab
Add a new rule:
Claim Rule Template: Send LDAP Attributes as Claims
Claim Rule Template: Send LDAP Attributes as Claims
Attribute Store: Active directory
·         LDAP Attribute: User Principal Name
·         Outgoing Claim Type: Name ID

Set the Secure hash algorithm to SHA1 instead of the default SHA-256. This is set in relying party trust properties under advanced.

Logout url
=> issue(Type = "logoutURL", Value = "", Properties[""] = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified");

To enable access to Firefox and other browsers.

To turn Extended Protection off, on the AD FS server, launch IIS Manager, then, on the left side tree view, access Sites -> Default Web Site -> adfs -> ls. Once you’ve selected the "/adfs/ls" folder, double-click the Authentication icon, then right-click Windows Authentication and select Advanced Settings… On the Advanced Settings dialog, choose Off for Extended Protection.

Custom Rule for givenane, Surname and E-mail id.

c:[Type == "", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("", "Givenname", "Surname", "E-mail ID"), query = ";userPrincipalName,givenName,sn,mail;{0}", param = c.Value);

Written by : Yogesh Dhingra


Popular posts from this blog

Say No to Easy Money