Automatic AD FS Configuration

This section describes how to use the PowerShell script to automatically configure Active Directory Federation Services (AD FS) 3.0 as a SAML IdP server in order to work with TMWS.


This script is supported only on Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.

  1. Log on to your AD FS server as an administrator, and copy or download the automatic AD FS configuration package to the server.

    The package contains a PowerShell script adfs.ps1 and a Service Provider Metadata file iwsspmetadata.xml.

  2. Extract the content of the package.

    Always keep both files in the same directory.

  3. Launch Windows PowerShell as an administrator and wait a moment for the PS command prompt to appear.
  4. Navigate to the directory where the script lives.
  5. Run the following command to execute the script: .\adfs.ps1

    After the script is successfully executed,

    • A token-signing certificate is automatically exported to the same directory as the script.

    • A relying party trust file named TrendMicro IWSaaS_<timestamp> is created under AD FS {version} > Trust Relationships > Relying Party Trusts. You can modify the file name as necessary from Properties > Identifiers.

  6. Go back to the Edit AD Integration Settings screen on the TMWS management console, and select the certificate to upload it in the AD FS Identity Provider Settings section.