AD FS Server Configuration

This section describes how to configure Active Directory Federation Service (AD FS) 2.0 and 3.0 as a SAML identity provider (IdP) in order to work with TMWS.

  1. Download the Service Provider metadata.
    1. On the Edit AD Integration Settings screen, click View Service Provider Metadata in the AD FS Service Provider Settings section. For how to enter this screen, see Active Directory Federation Services Authentication.
    2. Save the XML file as iwsspmetadata.xml.
  2. After installing AD FS successfully, go to Start > All Programs > Administrative Tools > AD FS {version} Management.
  3. On the AD FS Management Console, go to AD FS {version} > Trust Relationships, right-click Relying Party Trusts and then choose Add Relying Party Trust.
  4. Provide information for each screen in the Add Relying Party Trust wizard.
    1. From the Select Data Source step, select Import data about the relying party from a file and then browse and select iwsspmetadata.xml.
    2. From the Specify Display Name step, specify your desired name, such as TMWS.
    3. From the Choose Issuance Authorization Rules step, select Permit all users to access this relying party and then click Next.
    4. Continue clicking Next in the wizard and finally click Close.

      The Edit Claim Rules for TMWS window appears.

  5. From the Edit Claim Rules for TMWS window, click Add Rule on the Issuance Transform Rules tab.
  6. Provide information for each screen in the Add Transform Claim Rule wizard.
    1. From the Choose Rule Type step, specify Claim rule template for Send LDAP Attributes as Claims and then click Next.
    2. From the Configure Claim Rule step:
      1. Specify the claim rule name and specify Active Directory for the attribute store.

      2. Select SAM-Account-Name for LDAP Attribute and type sAMAccountName, if it does not exist in the dropdown list, for Outgoing Claim Type.


        The value for the Outgoing Claim Type column should be the same as the Logon name attribute field in the AD FS Identity Provider Settings section of AD FS Authentication settings.

      3. Click Finish to add the new rule.

  7. From the Edit Claim Rules for TMWS dialog box, click Add Rule to add another rule with the following settings:
    • Claim rule template: Send Claims Using a Custom Rule

    • Claim rule name: Any desired name, such as "user-defined"

    • Custom rule: Content of the custom rule

      Type the following exactly:

      c1:[Type == ""] && c2:[Type == ""] => add(store = "_OpaqueIdStore", types = ("http://tmws/internal/sessionid"), query = "{0};{1};{2};{3};{4}", param = "useEntropy", param = c1.Value, param = c1.OriginalIssuer, param = "", param = c2.Value);
  8. Click Add Rule to add a third rule with following settings:
    • Claim rule template: Transform an Incoming Claim

    • Claim rule name: Any desired name, such as "roamer"

    • Incoming claim type: The type specified in the previously added rule

      Type the following exactly:

    • Outgoing claim type: Name ID

    • Outgoing name ID format: Transient Identifier

  9. Click Apply and then click OK.
  10. From AD FS {version} > Trust Relationships > Relying Party Trust, double-click the relying party trust file you created earlier.
  11. From the TMWS Properties dialog box, click the Advanced tab.
  12. For Secure hash algorithm, specify SHA1 or SHA256 and then click OK.
  13. Go to AD FS {version} > Service > Certificates
  14. Open the certificate under "Token-signing".

    To learn about choosing a token-signing certificate, go to

  15. From the Certificate dialog box, click Copy to File from the Details tab.
  16. Provide information for each screen in the Certificate Export wizard.
    1. From the Export File Format window, select Base-64 encoded X.509 (.CER) and then click Next.

    2. From the File to Export window, locate the desired certificate file and then click Next.

    3. At the "The export was successful" message, click OK to have the token signing certificate saved to the file.

    4. Go to Administration > USERS & AUTHENTICATION > Directory Services, click here to change the authentication method to AD FS, and then click the Edit icon under AD Integration of the corresponding domain.

    5. In the AD FS Service Provider Settings domain, select the certificate and then click Upload.

  17. Test your settings.

    See AD FS Authentication Testing.


Send copies of event logs to your support provider if AD FS authentication errors repeatedly occur.

For information about event logs and Event Viewer, see