How to configure ADFS ( Active Directory Federation Services )
Start with Windows
Server 2008 [R2] – Domain Joined
Create a friendly DNS
name for ADFS and point it to your adfs server. (adfs.yourdomain.interalink.be)
·
Download and install
ADFS 2.0. Federation Server role from below link. This will install all pre-requisites
·
In the IIS manager
create an SSL certificate for your friendly DNS name or use SelfSSL from the
IIS 6.0 resource kit to create a self-signed certificate
Give it a friendly name
·
Run through the ADFS
Server configuration wizard
o
o Create a new federation Service
o Stand-alone server
o Select the certificate that you created for
your friendly DNS name
·
Create an SPN for the
DNS name so that Kerberos authentication between the browser and the ADFS IIS
instance works correctly
setspn
-a HTTP/adfs.yourdomain.interlink.be yourdomain\Administrator
setspn
-a HTTP/adfs yourdomain\Administrator
In the ADFS
2.0 MMC snap-in select the certificates node and double click the token-signing
certificate to Export Certificate
Open the ADFS 2.0 MMC snapin and add a new “Relying Party Trust”:
Select Data Source: Import data about a relying party from
a file. Browse to metatada.xml you have
Display Name: Give the trust a display name
Choose Issuance
Authorization Rules:
Permit all users to access this relying party
Open Edit Claim Rues
Dialog: Ticked
Add a new rule:
Claim Rule Template: Send LDAP Attributes as Claims
Claim Rule Template: Send LDAP Attributes as Claims
Attribute Store: Active directory
·
LDAP
Attribute: User Principal Name
·
Outgoing
Claim Type: Name ID
Set the Secure
hash algorithm to SHA1 instead of the default SHA-256. This is set in relying
party trust properties under advanced.
Logout url
=> issue(Type =
"logoutURL", Value = "http://www.yourdomain.eu",
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"]
= "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified");
To enable access to Firefox
and other browsers.
To turn Extended Protection off, on
the AD FS server, launch IIS Manager, then, on the left side tree view, access
Sites -> Default Web Site -> adfs -> ls. Once you’ve selected the
"/adfs/ls" folder, double-click the Authentication icon, then
right-click Windows Authentication and select Advanced Settings… On the
Advanced Settings dialog, choose Off for Extended Protection.
Custom Rule for givenane,
Surname and E-mail id.
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"]
=> issue(store = "Active
Directory", types =
("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"Givenname", "Surname", "E-mail ID"), query =
";userPrincipalName,givenName,sn,mail;{0}", param = c.Value);
Written by : Yogesh Dhingra
Comments
Post a Comment