Configuring AD FS 2.0

Using the Metadata to Add a Relying Party

The metadata import capability of AD FS 2.0 is used to create a relying party. The metadata includes the public key that is used to validate security tokens signed by Access Manager.

  1. In AD FS 2.0, right-click the Relying Party Trusts folder and click Add Relying Party Trust.

  2. Click Start.

  3. On the Select Data Source page, select Import data about the claims provider from a file.

  4. In the Federation metadata file location section, click Browse.

  5. Navigate to the location where you saved nam_metadata.xml earlier, select the file, then click Open > Next.

  6. On the Specify Display Name page, specify NAM Example.

  7. Click Next > Next > Close.

Editing Claim Rules for a Relying Party Trust

The data from AD FS is used in the security token that is sent to Access Manager.

  1. The Edit Claim Rules dialog box must already be open. If not, in the AD FS 2.0 center pane, under Relying Party Trusts, right-click NAM Example, then click Edit Claim Rules.

  2. On the Issuance Transform Rules tab, click Add Rule.

  3. On the Select Rule Template page, leave the Send LDAP Attributes as Claims option selected, then click Next.

  4. On the Configure Claim Rule page, specify Get attributes in the Claim rule name field.

  5. Select Active Directory from the Attribute Store list.

  6. In the Mapping of LDAP attributes section, create the following mappings:

    LDAP Attribute

    Outgoing Claim Type

    User-Principal-Name

    UPN

    E-Mail-Address

    E-Mail Address

  7. Click OK.

  8. Click Apply > OK.

  9. On the Issurance Transform Rules tab, click Add Rules.

  10. On the Select Rule Template page, select Transform an Incoming Claim, then click Next.

  11. On the Configure Claim Rule page, use the following values:

    Name

    Value

    Claim rule name

    Mapping To Transient Name Identifier

    Incoming Claim Type

    UPN

    Outgoing Claim Type

    Name ID

    Outgoing name ID format

    Transient Identifier

  12. Select Pass Through All Claims, then click OK.

  13. Click Apply > OK.

Disabling the Certificate Revocation List

For information about signing and encryption certificates, see Using Certificates and Certificate Revocation Lists.

Disabling the CRL Checking Option in Identity Server

  1. Modify the tomcat.conf file.

    For information about how to modify a file, see Modifying Configurations.

  2. Add JAVA_OPTS="${JAVA_OPTS} -Dcom.novell.nidp.serverOCSPCRL=false"

Disabling the CRL Checking Option in AD FS 2.0

  1. Click Start > Administrative Tools > Windows PowerShell Modules.

  2. Run the following command in the PowerShell command prompt:

    set-ADFSRelyingPartyTrust -TargetName "NAM Example"

    -SigningCertificateRevocationCheck None

AD FS 2.0 Encryption Strength

In AD FS 2.0, encryption of the outbound assertions is enabled by default. Assertion encryption occurs for any relying party or service provider for which AD FS 2.0 possesses an encryption certificate. AD FS 2.0 uses 256-bit Advanced Encryption Standard (AES) keys or AES-256 for encryption. In contrast, Failing to reconcile these conflicting defaults can result in the failed SSO attempts. To resolve this issue, disable the encryption in AD FS 2.0.

  1. In AD FS 2.0, click Start > Administrative Tools > Windows PowerShell Modules.

  2. Run the following command in the PowerShell command prompt:

    set-ADFSRelyingPartyTrust -TargetName "NAM Example"

    -EncryptClaims $False