Prerequisites for Configuring AD FS with SAML 2.0

  • Two servers, one to host AD FS 2.0 and the other to host Access Manager.

  • AD FS 2.0 is deployed.

  • ADFS 2.0 with WIF is deployed.

    The test deployment that was created in the AD FS 2.0 Federation with a Windows Identity Foundation (WIF) application is used as starting point for this deployment. A single Windows Server 2012 instance (fsweb.contoso.com) is used to host both the AD FS 2.0 federation server and a WIF sample application. It presumes the availability of a Contoso.com domain, in which fsweb.contoso.com is a member server. The same computer can act as the domain controller and federation server in the test deployments.

  • ADFS 2.0 with SharePoint 2010 is deployed.

    The test deployment that was created in Configuring SharePoint 2010 AAM applications with AD FS 2.0 is used as starting point for this deployment. A single Windows Server 2012 instance (fsweb.contoso.com) is used to host the AD FS 2.0 federation server and a Windows Server 2012 instance (SP2010) is used to host the SharePoint 2010 application. It presumes the availability of a Contoso.com domain, in which fsweb.contoso.com is a member server. The same computer can act as the domain controller and federation server in the test deployments.

  • Access Manager is deployed.

    The Access Manager environment in this deployment is hosted by a fictitious company called nam.example.com. Only the Identity Server component of Access Manager is required for this federation. For information about how to install Access Manager, see NetIQ Access Manager Appliance 5.0 Installation and Upgrade Guide.

Environment

  • Access Manager 4.x.x.

  • SUSE Linux Enterprise Server (SLES) 11 SP4 64-bit or a higher version.

IP Connectivity

Ensure that Access Manager (nam.example.com) and AD FS 2.0 (fsweb.contoso.com) systems have IP connectivity between them. The Contoso.com domain controller, if it is running on a separate computer, does not require IP connectivity to the Access Manager system. If the Access Manager firewall is set up, open the ports required for Identity Server to communicate with Administration Console.

For more information about these ports, see Setting Up Firewalls in the NetIQ Access Manager Appliance 5.0 Installation and Upgrade Guide.

For HTTPS communication, Access Manager Identity Server uses TCP 8443 by default. Your browsers need to access this port when using the HTTP POST Binding. Or, you can change this port to 443 by using iptables.

For back-channel communication with cluster members, you need to open port 7801. This port is configurable. See Configuring a Cluster with Multiple Identity Servers.

All federation servers (AD FS and Access Manager) need access to a reliable Network Time Protocol (NTP) time source.

Name Resolution

The hosts file on the AD FS 2.0 computer (fsweb.contoso.com) is used to configure name resolution of the partner federation servers and sample applications.

Clock Synchronization

Federation events have a short time to live (TTL). To avoid errors based on time-outs, ensure that both computers have their clocks synchronized.

NOTE:On SLES 11 SP1 64-bit or a later version, use the command sntp -P no -p pool.ntp.org to synchronize time with the Internet time server.