ADFS 3.0 Configuration for SSO

This document assumes that the ADFS 3.0 software component is properly configured in the Active Directory domain.

Exchange XML Metadata Files

  • Locate your ADFS XML metadata. This information can be found at this address: https://[SERVER_FQDN]/FederationMetadata/2007-06/FederationMetadata.xml
  • Download the XML file, or copy and paste the text into a text document, and send this to MIE.
  • MIE will send back an XML metadata file. Save this file on the ADFS server and be sure the file extension is XML.

Add Relying Party Trust

  • On the ADFS server, open the Server Manager.
  • Click Tools, and select AD FS Management
  • In the AD FS Management MMC, expand AD FS and Trust Relationships.
  • Click on Add Relying Party Trust in the right pane (or from the context [right-click] menu on the folder tree).
  • Click Start.
  • Select Import data about the relying party from a file.
  • Browse to and select the XML document that was provided by MIE.
  • Click Next.
  • Give the Relying Party a proper name and description, and then click Next.
  • Leave this set to I do not want to configure multi-factor authentication settings…
  • Click Next.
  • Leave this set to Permit all users to access this relying party, and then click Next.
  • Click Next - Do not change any settings on this page.

Edit Claim Rules

  • In the AD FS MMC, expand the Trust Relationships and click on Relying Parties Trusts.
  • Right-click the new Relying Party that was just created, and select Edit Claim Rules…
  • Click Add Rule…
  • Select Send LDAP Attributes as Claims from the dropdown list.
  • Click Next.
  • In the Claim rule name field enter Get LDAP Attributes.
  • For the Attribute store field, select Active Directory from the drop down list.
  • In the mapping table, select E-Mail-Addresses from the dropdown list under LDAP Attribute (Select type…).
  • Select E-Mail Address from the dropdown list under the Outgoing Claim Type…
  • Click Finish.
  • Click Add Rule…, again.
  • Select Transform an Incoming Claim from the Claim rule template dropdown list.
  • Click Next.
  • Name the Claim rule Email to Name ID.
  • Select E-Mail Address from the Incoming claim type dropdown list.
  • Select Name ID from the Outgoing claim type dropdown list.
  • Select Email from the Outgoing name ID format dropdown list.
  • Click Finish.
  • Click OK.

Set Relying Partying SAML Logout Endpoint & Secure Hash Algorithm

  • In the AD FS MMC, expand the Trust Relationships and click on Relying Parties Trusts.
  • Double-click the new Relying Party Trust (or right-click and select Properties).
  • Click the Endpoints tab.
  • Click Add SAML…
  • Select SAML Logout from the Endpoint type dropdown menu.
  • Make sure that POST is selected from the Binding drop down menu.
  • Enter the ADFS server sign-out URL in the Trusted URL field. The default URL is: https://[SERVER_FQDN]/adfs/ls/?wa=wsignout1.0
  • Click OK to close the Add an Endpoint window.

Configure AD Access Groups (Optional)

  • In the AD FS MMC, expand the Trust Relationships and click on Relying Parties Trusts.
  • Right-click the new Relying Party just created, and select Edit Claim Rules…
  • Click the Issuance Authorization Rule tab.
  • Click Add Rule…
  • Select Permit or Deny Users Based on Incoming Claim from the dropdown list.
  • Enter a claim rule name.
  • Select the appropriate criteria from the Incoming claim type drop down list. In this example, we are basing it on AD group.

Restart the ADFS Service

  • On your ADFS server, open the Server Manager.
  • Click Tools, and select Services.
  • Right-click the Active Directory Federation Services service.
  • Click Restart.

Customize ADFS User Sign-in Page (Optional)

Options for changing the way your user sign-in page looks and behaves can be found here:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-user-sign-in-customization

WebChart Documentation
Last Build: Wed, 08 Sep 2021 00:26:00 EDT Legacy Documentation