How to configure ADFS ( Active Directory Federation Services )

Start with Windows Server 2008 [R2] – Domain Joined




Create a friendly DNS name for ADFS and point it to your adfs server. (adfs.yourdomain.interalink.be)


·         Download and install ADFS 2.0. Federation Server role from below link. This will install all pre-requisites
http://www.microsoft.com/downloads/en/details.aspx?familyid=118c3588-9070-426a-b655-6cec0a92c10b&displaylang=en







·         In the IIS manager create an SSL certificate for your friendly DNS name or use SelfSSL from the IIS 6.0 resource kit to create a self-signed certificate



Give it a friendly name


·         Run through the ADFS Server configuration wizard

o     
o    Create a new federation Service






o    Stand-alone server


o    Select the certificate that you created for your friendly DNS name








·         Create an SPN for the DNS name so that Kerberos authentication between the browser and the ADFS IIS instance works correctly
setspn -a HTTP/adfs.yourdomain.interlink.be yourdomain\Administrator
setspn -a HTTP/adfs yourdomain\Administrator







In the ADFS 2.0 MMC snap-in select the certificates node and double click the token-signing certificate to Export Certificate
ADFS 2.0 Configuration
Open the ADFS 2.0 MMC snapin and add a new “Relying Party Trust”:






Select Data Source: Import data about a relying party from a file. Browse to metatada.xml you have

Display Name: Give the trust a display name
Choose Issuance Authorization Rules: Permit all users to access this relying party







Open Edit Claim Rues Dialog: Ticked





In the claim rules editor select the “Issuance Transform Rules” tab
Add a new rule:
Claim Rule Template: Send LDAP Attributes as Claims
Claim Rule Template: Send LDAP Attributes as Claims
Attribute Store: Active directory
·         LDAP Attribute: User Principal Name
·         Outgoing Claim Type: Name ID




Set the Secure hash algorithm to SHA1 instead of the default SHA-256. This is set in relying party trust properties under advanced.

Logout url
=> issue(Type = "logoutURL", Value = "http://www.yourdomain.eu", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified");





To enable access to Firefox and other browsers.



To turn Extended Protection off, on the AD FS server, launch IIS Manager, then, on the left side tree view, access Sites -> Default Web Site -> adfs -> ls. Once you’ve selected the "/adfs/ls" folder, double-click the Authentication icon, then right-click Windows Authentication and select Advanced Settings… On the Advanced Settings dialog, choose Off for Extended Protection.



Custom Rule for givenane, Surname and E-mail id.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "Givenname", "Surname", "E-mail ID"), query = ";userPrincipalName,givenName,sn,mail;{0}", param = c.Value);

Written by : Yogesh Dhingra
http://www.y-rax.com






Comments

Post a Comment

Popular posts from this blog

Places to Purchase Used Server

The Demand for used Servers is increasing day by day because of two reasons one the technology is upgrading very fast second durability of such devices is higher than their shelf life. As the Market is demanding lots of suppliers has jumped into selling   used servers , Majority of them are genuine but there are so many frauds as well.There some most Important things one should verify before purchasing a   used server . I have experience of more than 25 years in the field of Information Technology working on various different technologies starting from commodore Computer, XT 8085/ 86 AT with 8 KB of RAM and 360 KB Floppy Drive to X86 Servers Pentium with single core than to duel core, multi core and Current   Cloud Computing . I am writing this article and will be writing few more to help and educate genuine users. I am  available  at my mail please feel free to reach me, Send in as many queries and I will  respond  back. ...
Read more

9 tips for improving your wireless network

If Windows ever notifies you about a weak signal, it probably means your connection isn't as fast or as reliable as it could be. Worse, you might lose your connection entirely in some parts of your home. If you're looking to improve the signal for your wireless network, try some of these tips for extending your wireless range and improving your wireless network performance. 1. Position your wireless router (or wireless access point) in a central location 2. Move the router off the floor and away from walls and metal objects (such as metal file cabinets) 3. Replace your router's omni-directional antenna with Hi-gain antena 4. Replace your computer 's wireless network adapter 5. Add a wireless repeater 6. Upgrade 802.11b devices to 802.11g 7. Change your wireless channel to 1,6 or 11 8. Reduce wireless interference to 2.4 GHz 9. Update your firmware or your network adapter driver  
Read more