This section describes how to configure Active Directory Federation Service (AD FS) 2.0 and 3.0 as a SAML identity provider (IdP) in order to work with TMWS.
Procedure
- Download the Service Provider metadata.
- On the Edit AD Integration Settings screen, click View Service Provider Metadata in the AD FS Service Provider Settings section. For how to enter this screen, see Active Directory Federation Services Authentication.
- Save the XML file as
iwsspmetadata.xml
.
- After installing AD FS successfully, go to .
- On the AD FS Management Console, go to , right-click Relying Party Trusts and then choose Add Relying Party Trust.
- Provide information for each screen in the Add Relying Party
Trust wizard.
- From the Select Data Source step, select
Import data about the relying party from a
file and then browse and select
iwsspmetadata.xml
. - From the Specify Display Name step, specify your desired name, such as TMWS.
- From the Choose Issuance Authorization Rules step, select Permit all users to access this relying party and then click Next.
- Continue clicking Next in the wizard and finally
click Close.The Edit Claim Rules for TMWS window appears.
- From the Select Data Source step, select
Import data about the relying party from a
file and then browse and select
- From the Edit Claim Rules for TMWS window, click Add Rule on the Issuance Transform Rules tab.
- Provide information for each screen in the Add Transform Claim
Rule wizard.
- From the Choose Rule Type step, specify Claim rule template for Send LDAP Attributes as Claims and then click Next.
- From the Configure Claim Rule step:
-
Specify the claim rule name and specify Active Directory for the attribute store.
-
Select SAM-Account-Name for LDAP Attribute and type sAMAccountName, if it does not exist in the dropdown list, for Outgoing Claim Type.
Note
The value for the Outgoing Claim Type column should be the same as the Logon name attribute field in the AD FS Identity Provider Settings section of AD FS Authentication settings. -
Click Finish to add the new rule.
-
- From the Edit Claim Rules for TMWS dialog
box, click Add Rule to add another rule with the
following settings:
-
Claim rule template: Send Claims Using a Custom Rule
-
Claim rule name: Any desired name, such as
user-defined
-
Custom rule: Content of the custom ruleType the following exactly:
c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"] => add(store = "_OpaqueIdStore", types = ("http://tmws/internal/sessionid"), query = "{0};{1};{2};{3};{4}", param = "useEntropy", param = c1.Value, param = c1.OriginalIssuer, param = "", param = c2.Value);
-
- Click Add Rule to add a third rule with following
settings:
-
Claim rule template: Transform an Incoming Claim
-
Claim rule name: Any desired name, such as
roamer
-
Incoming claim type: The type specified in the previously added ruleType the following exactly:
http://tmws/internal/sessionid
-
Outgoing claim type: Name ID
-
Outgoing name ID format: Transient Identifier
-
- Click Apply and then click OK.
- From , double-click the relying party trust file you created earlier.
- From the TMWS Properties dialog box, click the Advanced tab.
- For Secure hash algorithm, specify SHA1 or SHA256 and then click OK.
- Go to
- Open the certificate under
Token-signing
.To learn about choosing a token-signing certificate, go to https://technet.microsoft.com/en-us/library/dd145391.aspx. - From the Certificate dialog box, click Copy to File from the Details tab.
- Provide information for each screen in the Certificate
Export wizard.
- From the Export File Format window, select Base-64 encoded X.509 (.CER) and then click Next.
- From the File to Export window, locate the desired certificate file and then click Next.
- At the "The export was successful" message, click OK to have the token signing certificate saved to the file.
- Go back to the Edit AD Integration Settings screen on the TMWS management console, and select the certificate to upload it in the AD FS Identity Provider Settings section.
- Test your settings.
What to do next
NoteSend copies of event logs to your support provider if AD FS
authentication errors repeatedly occur.
For information about event logs and Event Viewer, see https://technet.microsoft.com/en-us/library/cc766042.aspx.
|