Configuring the ADFS Server as an Identity Provider

The following tasks describe the minimum configuration required for the ADFS server to act as an identity provider for Access Manager Identity Server:

For additional configuration options, see Additional WS Federation Configuration Options.

Enabling a Claim Type for a Resource Partner

You can enable three types of claims for identity on an ADFS Federation server. They are Common Name, E-mail, and User Principal Name. The ADFS step-by-step guide specifies that you do everything with a User Principal Name, which is an Active Directory convention. Although it could be given an e-mail that looks the same, it is not. This scenario selects to use E-mail instead of Common Name because E-mail is a more common configuration.

  1. In the Administrative Tools, open the Active Directory Federation Services tool.

  2. Navigate to the Organizational Claims by clicking Federation Service > Trust Policy > My Organization.

  3. Ensure that Email is in this list.

  4. Navigate to Active Directory by clicking Federation Services > Trust Policy > Account Stores.

  5. Enable the E-mail Organizational Claim:

    1. Right-click this claim, then select Properties.

    2. Select Enabled.

    3. Add the LDAP mail attribute by clicking Settings > LDAP attribute and selecting mail.

      This is the LDAP attribute in Active Directory where the user’s email address is stored.

    4. Click OK.

  6. Verify that the user you are going to use for authentication has an email address in the mail attribute.

  7. Continue with Creating a Resource Partner.

Creating a Resource Partner

WS Federation requires the two-way trust. The identity provider must be configured to trust the service provider, and the service provider must be configured to trust the identity provider. You have already set up the service provider to trust the identity provider (see Creating a WS Federation Identity Provider). This section sets up the trust so that the identity provider (the ADFS server) trusts the service provider (Identity Server).

  1. In the Active Directory Federation Services console, access the Resource Partners page by clicking Federation Services > Trust Policy > Partner Organizations.

  2. Right-click the Partner Organizations, then click New > Resource Partner.

  3. Supply the following information in the wizard:

    • You do not have a resource partner policy file to import.

    • For the display name, specify the DNS name of Identity Server.

    • For the Federation Services URI, enter the following:

      https://<DNS_Name>:8443/nidp/wsfed/

      Replace <DNS_Name> with the name of your Identity Server.

      This is the base URL of your Identity Server with the addition of /wsfed/ at the end.

    • For the Federation Services endpoint URL, specify the following:

      https://<DNS_Name>:8443/nidp/wsfed/spassertion_consumer

      Replace <DNS_Name> with the name of your Identity Server.

      This is the base URL of your Identity Server with the addition of /wsfed/spassertion_consumer at the end.

    • Select Federated Web SSO.

      Identity Server is outside of any forest, so do not select Forest Trust.

    • Select the E-mail claim.

    • Select the Pass all E-mail suffixes through unchanged option.

  4. Enable this resource partner.

  5. Finish the wizard.

  6. To test the configuration, continue with Logging In.