Active Directory Federation Services (AD FS) 2.0 helps simplify access to applications and other systems with an open and interoperable claims-based model. The AD FS 2.0 platform provides a fully redesigned Windows-based Federation Service that supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols.
In this article we are going to install it on Windows Server 8! You can find my recent article, how you configure AD FS 2.0 on Windows Server 2008 R2
Actually you don't have to download it, but if you need you can download it here..
http://www.microsoft.com/en-us/download/details.aspx?id=10909
Open the Add Roles and Features Wizard
Select Role based or feature based installation and click Next
Select your Server ( Domain Controller ) and click Next
Select your Role "Active Directory Federation Services"
It will add features to your role, select "Add Features"
Select your Features and click Next
Just click Next
Select Federation Services and the Agent and click Next
Again Next
And click Install
The wizard will open the AD FS Welcome screen, click AD FS Federation Services Configuration Wizard
Select "Create a new Federation Service"
Create a new server farm
Be sure, that your server has a certificate. Select it, and click Next
Provide a Service Account and give the Password.
The summary screen. Just click Next
Whe installation finish, close your screen.
Again when the installation is "ok", you will be returned on the AD FS Welcome screen. Click on "Required: Add a trusted relaying party"
Select Start
Choose "Federation data about the relying party manually"
Give a friendly name " GokMania-Labo Internal Trust " as my exercice.
Choose AD FS profile and click Next
Just click Next.
Choose "Enable support WS-Federation Passive protocol" and give your Web Application with /_trust/ behind.
Provide your URN:
Choose "Permit all users to access this relying party" and click Next
Choose "Close"
Now we are going to edit Claim Rules for our Trust. Click on Add Rule...
Select your template LDAP
And fill the same as shown below.
Create a new certificate from AD FS Server and copy it on the SharePoint Server. Lets rename it on GokManiaAdfs.cer:
Now that I have my certificate, I need to add them to my list of trusted root authorities. I’m going to do that in PowerShell with this script:
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\GokManiaAdfs.cer ")
New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Next I’m going to create the claim mappings that SharePoint is going to use
$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming
Next I’m going to create a variable for the realm that I want SharePoint to use. For this scenario I said I was going to use the realm urn:seo:sharepoint. Here’s the PowerShell to create my realm variable:
Now I’m ready to create my SPTrustedIdentityTokenIssuer. This is where I tie together all of the configuration information so SharePoint knows how to connect and work. I’ll show the PowerShell here and then explain the important parts:
So now we’ll open up the browser and navigate to Central Administration. Click on the Manage Web Applications link, then click on the web application in the list that’s going to use ADFS to authenticate, then click the Authentication Providers button in the ribbon. Click the link in the dialog that corresponds to the zone in which you are going to use ADFS to authenticate. Scroll down to the Authentication Types section. You can now de-select NTLM, and you should see a new provider called “SAML Provider” in the list of trusted providers.
Carsten Siemens edited Revision 6. Comment: fixed typo
Richard Mueller edited Revision 5. Comment: Replace RGB values with color names in HTML to restore colors, fix zero characters in <a name> tags in headings in HTML to fix TOC
Richard Mueller edited Revision 4. Comment: Removed (en-US) from title, added tag
Gokan Ozcifci edited Revision 3. Comment: New website - gknzcfc.net
Ed Price - MSFT edited Original. Comment: Title casing and TOC
Thank you Thuan for your response..
I'm not sure if the Windows Server 8 edition you was using is BETA edition (Build 8250). The AD FS server role in Windows Server 2012 RC (Build 8400) includes the same functionality and feature set that is available in AD FS 2.0. It also includes the following list of new functionality that was not available in AD FS 2.0:
- Integration with Dynamic Access Control (blogs.technet.com/.../introduction-to-windows-server-2012-dynamic-access-control.aspx)
- Improved installation experience using Server Manager: with AD FS 2.0, you must first download and then install AD FS 2.0 in order to build a federation infrastructure. In Windows Server 2010, however, you don't have to do the same thing. In other words, you just need to install AD FS server role using Server Manager.
- Additional Windows PowerShel cmdlet tools: Windows Server 2012 provides incredibly new cmdlets for installing, configuring and deploying AD FS infrastructure very quickly.