SharePoint 2010: How to Install and Configure ADFS for SharePoint 2010 on Windows Server 8

SharePoint 2010: How to Install and Configure ADFS for SharePoint 2010 on Windows Server 8

Active Directory Federation Services (AD FS) 2.0 helps simplify access to applications and other systems with an open and interoperable claims-based model. The AD FS 2.0 platform provides a fully redesigned Windows-based Federation Service that supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols.

In this article we are going to install it on Windows Server 8! You can find my recent article, how you configure AD FS 2.0 on Windows Server 2008 R2

 

Download Link

Actually you don't have to download it, but if you need you can download it here..

http://www.microsoft.com/en-us/download/details.aspx?id=10909

 

 

1 Install and Configure ADFS 2.0 on Server 8

 

Open the Add Roles and Features Wizard

 

Select Role based or feature based installation and click Next

 

Select your Server ( Domain Controller ) and click Next

 

Select your Role "Active Directory Federation Services"

 

It will add features to your role, select "Add Features"

 

Select your Features and click Next

 

Just click Next

 

Select Federation Services and the Agent and click Next

 

Again Next

 

And click Install

 

The wizard will open the AD FS Welcome screen, click AD FS Federation Services Configuration Wizard

 

Select "Create a new Federation Service"

 

Create a new server farm

 

Be sure, that your server has a certificate. Select it, and click Next

 

Provide a Service Account and give the Password.

 ed

 

The summary screen. Just click Next

 

Whe installation finish, close your screen.

 

Again when the installation is "ok", you will be returned on the AD FS Welcome screen. Click on "Required: Add a trusted relaying party"

 

Select Start

 

Choose "Federation data about the relying party manually"

 

Give a friendly name " GokMania-Labo Internal Trust " as my exercice.

 

Choose AD FS profile and click Next

 

Just click Next.

 

Choose "Enable support WS-Federation Passive protocol" and give your Web Application with /_trust/ behind.

 

Provide your URN:

 

Choose "Permit all users to access this relying party" and click Next

 

Choose "Close"

 

Now we are going to edit Claim Rules for our Trust. Click on Add Rule...

 

Select your template LDAP

 

And fill the same as shown below.

 

2 Configure AD FS on SharePoint 2010.

Create a new certificate from AD FS Server and copy it on the SharePoint Server. Lets rename it on GokManiaAdfs.cer:

  • C:\GokManiaAdfs.cer, which is the token signing certificate I copied from my ADFS server

 

Now that I have my certificate, I need to add them to my list of trusted root authorities. I’m going to do that in PowerShell with this script:

 

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\GokManiaAdfs.cer ")

New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert

Next I’m going to create the claim mappings that SharePoint is going to use

 

$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming

Next I’m going to create a variable for the realm that I want SharePoint to use. For this scenario I said I was going to use the realm urn:seo:sharepoint. Here’s the PowerShell to create my realm variable:

 

$realm = "urn:portail.gokmania.local:sharepoint"

Now I’m ready to create my SPTrustedIdentityTokenIssuer. This is where I tie together all of the configuration information so SharePoint knows how to connect and work. I’ll show the PowerShell here and then explain the important parts:

 

$ap = New-SPTrustedIdentityTokenIssuer -Name "SAML Provider" -Description "SharePoint secured by SAML" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$map2 -SignInUrl "https://adfs.gokmania.local/adfs/ls" -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

So now we’ll open up the browser and navigate to Central Administration. Click on the Manage Web Applications link, then click on the web application in the list that’s going to use ADFS to authenticate, then click the Authentication Providers button in the ribbon. Click the link in the dialog that corresponds to the zone in which you are going to use ADFS to authenticate. Scroll down to the Authentication Types section. You can now de-select NTLM, and you should see a new provider called “SAML Provider” in the list of trusted providers.

Leave a Comment
  • Please add 1 and 7 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Carsten Siemens edited Revision 6. Comment: fixed typo

  • Richard Mueller edited Revision 5. Comment: Replace RGB values with color names in HTML to restore colors, fix zero characters in <a name> tags in headings in HTML to fix TOC

  • Richard Mueller edited Revision 4. Comment: Removed (en-US) from title, added tag

  • Gokan Ozcifci edited Revision 3. Comment: New website - gknzcfc.net

  • Ed Price - MSFT edited Original. Comment: Title casing and TOC

Page 1 of 1 (5 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Ed Price - MSFT edited Original. Comment: Title casing and TOC

  • I'm not sure if the Windows Server 8 edition you was using is BETA edition (Build 8250). The AD FS server role in Windows Server 2012 RC (Build 8400) includes the same functionality and feature set that is available in AD FS 2.0. It also includes the following list of new functionality that was not available in AD FS 2.0:

    - Integration with Dynamic Access Control (blogs.technet.com/.../introduction-to-windows-server-2012-dynamic-access-control.aspx)

    - Improved installation experience using Server Manager: with AD FS 2.0, you must first download and then install AD FS 2.0 in order to build a federation infrastructure. In Windows Server 2010, however, you don't have to do the same thing. In other words, you just need to install AD FS server role using Server Manager.

    - Additional Windows PowerShel cmdlet tools: Windows Server 2012 provides incredibly new cmdlets for installing, configuring and deploying AD FS infrastructure very quickly.

  • Thank you Thuan for your response..

  • Gokan Ozcifci edited Revision 3. Comment: New website - gknzcfc.net

  • Richard Mueller edited Revision 4. Comment: Removed (en-US) from title, added tag

  • Richard Mueller edited Revision 5. Comment: Replace RGB values with color names in HTML to restore colors, fix zero characters in <a name> tags in headings in HTML to fix TOC

  • Carsten Siemens edited Revision 6. Comment: fixed typo

Page 1 of 1 (7 items)