Configuring Active Directory Federation Services 2.0

Active Directory Federation Services (AD FS) 2.0 provides support for claims-aware identity solutions that involve Windows Server and Active Directory technology. AD FS 2.0 supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols.

This section describes how to configure AD FS 2.0 as a SAML server to work with Hosted Email Security. Make sure you have installed AD FS 2.0 successfully.

  1. Go to Start > All Programs > Administrative Tools > AD FS 2.0 Management.
  2. On the AD FS management console, go to AD FS 2.0 > Trust Relationships, right-click Relying Party Trusts and then choose Add Relying Party Trust.
  3. Complete settings for each screen in the Add Relying Party Trust wizard.
    1. On the Welcome screen, click Start.
    2. On the Select Data Source screen, select Enter data about the relying party manually and click Next.
    3. On the Specify Display Name screen, specify a display name, such as test, and click Next.
    4. On the Choose Profile screen, select AD FS 2.0 profile and click Next.
    5. On the Configure Certificate screen, click Next.

      No encryption certificate is required, and HTTPS will be used for communication between Hosted Email Security and federation servers.

    6. On the Configure URL screen, select Enable support for the SAML 2.0 WebSSO protocol, type the relying party SAML 2.0 SSO service URL, and then click Next.

      Specify the SAML 2.0 SSO service URL for your region as follows:

      • Europe, the Middle East, Africa:

      • Other regions:

    7. On the Configure Identifiers screen, type the identifier for the relying party trust, click Add, and then click Next.

      Specify the identifier for the relying party trust for your region as follows:

      • Europe, the Middle East, Africa:

      • Other regions:

    8. Continue clicking Next in the wizard and finally click Close.
  4. From the Edit Claim Rules for Test dialog box, click Add Rule in the Issuance Transform Rules tab.
  5. Complete settings for each screen in the Add Transform Claim Rule wizard.
    1. On the Select Rule Template screen, select Send LDAP Attributes as Claims for Claim rule template and click Next.
    2. Specify a claim rule name and select Active Directory for Attribute store.
    3. Select LDAP attributes and specify an outgoing claim type for each attribute, for example, select E-Mail-Addresses and specify email.

      When configuring federation server settings on Hosted Email Security, make sure you use the same claim types specified in the Outgoing Claim Type column.

    4. Click Finish.
    5. Click OK to close the wizard.
  6. From AD FS 2.0 > Trust Relationships > Relying Party Trust, double-click the relying party trust file you created earlier.
    1. From the Test Properties dialog box, click the Advanced tab.
    2. Select SHA1 from the Secure hash algorithm drop-down list and click Finish.
  7. Verify your configurations.
    1. Start a web browser (preferably Internet Explorer), type https://AD_FS_host_name/adfs/ls/IdpInitiatedSignon.aspx in the address bar, and then press Enter.

      When typing the URL, replace ADFS_host_name with the host name or IP address of the server where you configured AD FS.

    2. On the Sign-In Page screen, click Sign in to this site and click Continue to Sign In.

      If you see the message "You are signed in.", your configurations are correct, and you are redirected to the ADFS server.

      If you fail to sign in, check your previous configurations.

  8. Collect the single sign-on URL and a certificate for signature validation from AD FS.
    1. On the AD FS management console, go to AD FS 2.0 > Service > Endpoints.
    2. Look for the SAML 2.0/WS-Federation type endpoint and collect the URL from its properties.
    3. Go to AD FS 2.0 > Service > Certificates.
    4. Look for the Token-signing certificate, right-click it, and then select View Certificate.
    5. Click the Details tab and click Copy to File.
    6. Using the Certificate export wizard, select Base-64 Encoded X.509 (.Cer).
    7. Assign a name to the file to complete the export of the certificate into a file.