This section describes how to configure Active Directory Federation Service (AD FS) 2.0 and 3.0 as a SAML identity provider (IdP) in order to work with TMWS.
The Edit Claim Rules for TMWS window appears.
Specify the claim rule name and specify Active Directory for the attribute store.
Select SAM-Account-Name for LDAP Attribute and type sAMAccountName, if it does not exist in the dropdown list, for Outgoing Claim Type.
The value for the Outgoing Claim Type column should be the same as the Logon name attribute field in the AD FS Identity Provider Settings section of AD FS Authentication settings.
Click Finish to add the new rule.
Claim rule template: Send Claims Using a Custom Rule
Claim rule name: Any desired name, such as "user-defined"
Custom rule: Content of the custom rule
Type the following exactly:
c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"] => add(store = "_OpaqueIdStore", types = ("http://tmws/internal/sessionid"), query = "{0};{1};{2};{3};{4}", param = "useEntropy", param = c1.Value, param = c1.OriginalIssuer, param = "", param = c2.Value); |
Claim rule template: Transform an Incoming Claim
Claim rule name: Any desired name, such as "roamer"
Incoming claim type: The type specified in the previously added rule
Type the following exactly:
http://tmws/internal/sessionidOutgoing claim type: Name ID
Outgoing name ID format: Transient Identifier
To learn about choosing a token-signing certificate, go to https://technet.microsoft.com/en-us/library/dd145391.aspx.
From the Export File Format window, select Base-64 encoded X.509 (.CER) and then click Next.
From the File to Export window, locate the desired certificate file and then click Next.
At the "The export was successful" message, click OK to have the token signing certificate saved to the file.
Go to Administration > USERS & AUTHENTICATION > Directory Services, click here to change the authentication method to AD FS, and then click the Edit icon under AD Integration of the corresponding domain.
In the AD FS Service Provider Settings domain, select the certificate and then click Upload.
Send copies of event logs to your support provider if AD FS authentication errors repeatedly occur.
For information about event logs and Event Viewer, see https://technet.microsoft.com/en-us/library/cc766042.aspx.