How to Install and Configure ADFS 2.0 for SharePoint 2010 on Windows Server 2008 R2

How to Install and Configure ADFS 2.0 for SharePoint 2010 on Windows Server 2008 R2

1 Overview

Active Directory Federation Services 2.0 helps IT enable users to collaborate across organizational boundaries and easily access applications on-premises and in the cloud, while maintaining application security. Through a claims-based infrastructure, IT can enable a single sign-on experience for end-users to applications without requiring a separate account or password, whether applications are located in partner organizations or hosted in the cloud.

2 System requirements

Supported operating systems: Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 R2, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Foundation, Windows Server 2008 R2 Standard, Windows Server 2008 Service Pack 2, Windows Server 2008 Standard, Windows Small Business Server 2008 Premium, Windows Small Business Server 2008 Standard

  • Internet Information Services (IIS) 7 or 7.5
  • .NET Framework 3.5 SP1
  • SQL Server 2005 (Express, Standard, Enterprise), SQL Server 2008 (Express, Standard, Enterprise)
  • See AD FS 2.0 home page for further details on system requirements


3 Additional information

  • See AD FS 2.0 Content Map for a list of AD FS 2.0 content that is most applicable to your AD FS 2.0 documentation needs.


4 Download Center

MS Download



5 Install ADFS 2.0 on Windows Server 2008R2 ( DC side )

Download AdfsSetup.exe and install it.


Accept the terms and click Next


Select Federation Server and Next


Install Prerequisite Software: just Next


And you can start with AD FS



6 Configure ADFS 2.0 for SharePoint 2010

When the install finishs, you will receive this screen. clik on AD FS 2.0 Federation Server Configuration Wizard


Select Create a new Federation Service


Choose New Federation Server Farm


Select your certificate and clik Next. I had "1" certificate so it was gray.


Use a Service Account for running ADFS. Please do not use Administrator, but a Service Account Like:

  • domain\svcADFS_sp
  • domain\servicesp_ADFS


It will configure some settings


If there are no errors you can close this screen.


now, on this screen again, we have to Add a trusted relying party


To begin clik Start


Select the 3 choises: Enter data about the relying party manually


Give a friendly Display name


Choose for AD FS 2.0 Profile


You can select a certificate to encrypt the SAML token itself. This isn’t done frequently because ADFS will require our connection to SharePoint be made over SSL, so the channel the token is sent over is encrypted already.Click just Next


Check the box to Enable support for the WS-Federation Passive protocol. For the protocol URL you need to enter the Url for the SharePoint web applictation’s root site, and include the “_trust” subdirectory. In this example, the Url to my SharePoint web application is https://portail.gokmania.local, so the WS-Federation Passive protocol Url is https://portail.gokmania.local/_trust/. After entering your Url click the Next button.


For the relying party trust identifier you need to enter a realm that your web application will pass to ADFS when users log into the web application. The realm is generally created in the format of urn:foo:bar. So in this case, I’ve entered a realm of urn:portail.gokmania.local:sharepoint.


In most cases you will want all of your users to be able to use this relying party. We’ll assume that’s the case for this scenario so just accept the default choice and click the Next button.

If you needed to make any other configuration changes at this time to the relying party trust you could do it here. For this scenario we don’t need to so just click the Next button to continue.


We’re done configuring the relying party trust but we still need to create a claim rule to tell ADFS what claims to send back to SharePoint. So leave the box checked to Open the Edit Claim Rules dialog and click the Close button.


Now we are going to create a new rule, so click the Add Rule button.


We are going to send LDAP attributes as claims because we are getting information from Active Directory in this case, meaning we will authenticate at ADFS and ADFS is going to use the corporate Active Directory to authenticate us and determine what our attributes are. So leave the default value selected and click the Next button to continue.


Select all these attributes


7 Configure SharePoint 2010 for AD FS 2.0 ( Application Server Side )


Now under AD FS 2.0 you can see different certificates, made an export ( DC ) of Token-decryting and put it under the C:\ of the SharePoint Server and install it to the Trusted Root Certification Authorities ( or do it with code )

I renamed my certificate "gokmaniaadfs.cer"



So now on my SharePoint server I have my certificate:

  • C:\GokManiaAdfs.cer, which is the token signing certificate I copied from my ADFS server


Now that I have my certificate, I need to add them to my list of trusted root authorities. I’m going to do that in PowerShell with this script:


$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\GokManiaAdfs.cer ")

New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert

Next I’m going to create the claim mappings that SharePoint is going to use


$map = New-SPClaimTypeMapping -IncomingClaimType "" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

$map2 = New-SPClaimTypeMapping -IncomingClaimType "" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming

Next I’m going to create a variable for the realm that I want SharePoint to use. For this scenario I said I was going to use the realm urn:seo:sharepoint. Here’s the PowerShell to create my realm variable:


$realm = "urn:portail.gokmania.local:sharepoint"

Now I’m ready to create my SPTrustedIdentityTokenIssuer. This is where I tie together all of the configuration information so SharePoint knows how to connect and work. I’ll show the PowerShell here and then explain the important parts:


$ap = New-SPTrustedIdentityTokenIssuer -Name "SAML Provider" -Description "SharePoint secured by SAML" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$map2 -SignInUrl "https://adfs.gokmania.local/adfs/ls" -IdentifierClaim ""

So now we’ll open up the browser and navigate to Central Administration. Click on the Manage Web Applications link, then click on the web application in the list that’s going to use ADFS to authenticate, then click the Authentication Providers button in the ribbon. Click the link in the dialog that corresponds to the zone in which you are going to use ADFS to authenticate. Scroll down to the Authentication Types section. You can now de-select NTLM, and you should see a new provider called “SAML Provider” in the list of trusted providers.



8 Some tests


Search for User


User Information


9 Install ADFS on Windows Server 2008R2

Under Server Roles, Select Active Directory Federation Services and click Next


Some information, click again Next


Select the roles that you want. I my case, the important thing is to select "Federation Service"


Choose here for the second Option: Create a self-signed certificate for SSL encryption


Again the same, the second option and click next


Create a new Trust Policy and Next


Select additional role services, but I left the default values

The install will begin, and when finished run ADFS


10 Resources ( !! thanks for all the good information )


Leave a Comment
  • Please add 1 and 1 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
  • Richard Mueller edited Original. Comment: Added toc, cleaned up some tags

Page 2 of 2 (11 items) 12
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
  • Nice article,thnks

  • Hi Gokan,

    What is the purpose of step No.9 since you have already installed ADFS setup at the beginning of article.

    Am I missing something ?

    Request your help please

    Best Regards


Page 2 of 2 (17 items) 12