Share via


SharePoint 2010: Install and Configure ADFS for SharePoint 2010 on Windows Server 8

Active Directory Federation Services (AD FS) 2.0 helps simplify access to applications and other systems with an open and interoperable claims-based model. The AD FS 2.0 platform provides a fully redesigned Windows-based Federation Service that supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols. In this article we are going to install it on Windows Server 8! You can find my recent article, how you configure AD FS 2.0 on Windows Server 2008 R2

 

Actually you don't have to download it, but if you need you can download it here: http://www.microsoft.com/en-us/download/details.aspx?id=10909

1 Install and Configure ADFS 2.0 on Server 8

Open the Add Roles and Features Wizard

http://www.gknzcfc.net/style/ADFS8_1.png

 

Select Role based or feature based installation and click Next

http://www.gknzcfc.net/style/ADFS8_2.png

 

Select your Server ( Domain Controller ) and click Next

http://www.gknzcfc.net/style/ADFS8_3.png

 

Select your Role "Active Directory Federation Services"

http://www.gknzcfc.net/style/ADFS8_4.png

 

It will add features to your role, select "Add Features"

http://www.gknzcfc.net/style/ADFS8_5.png

 

Select your Features and click Next

http://www.gknzcfc.net/style/ADFS8_6.png

 

Just click Next

http://www.gknzcfc.net/style/ADFS8_7.png

 

Select Federation Services and the Agent and click Next

http://www.gknzcfc.net/style/ADFS8_9.png

 

Again Next

http://www.gknzcfc.net/style/ADFS8_10.png

 

And click Install

http://www.gknzcfc.net/style/ADFS8_11a.png

 

The wizard will open the AD FS Welcome screen, click AD FS Federation Services Configuration Wizard

http://www.gknzcfc.net/style/ADFS8_12.png

 

Select "Create a new Federation Service"

http://www.gknzcfc.net/style/ADFS8_13.png

 

Create a new server farm

http://www.gknzcfc.net/style/ADFS8_14.png

 

Be sure, that your server has a certificate. Select it, and click Next

http://www.gknzcfc.net/style/ADFS8_22.png

 

Provide a Service Account and give the Password.

http://www.gknzcfc.net/style/ADFS8_23.pnghttp://www.gknzcfc.net/style/ADFS8_27.png

 

The summary screen. Just click Next

http://www.gknzcfc.net/style/ADFS8_24.png

 

Whe installation finish, close your screen.

http://www.gknzcfc.net/style/ADFS8_26.png

 

Again when the installation is "ok", you will be returned on the AD FS Welcome screen. Click on "Required: Add a trusted relaying party"

http://www.gknzcfc.net/style/ADFS8_28.png

 

Select Start

http://www.gknzcfc.net/style/ADFS8_29.png

 

Choose "Federation data about the relying party manually"

http://www.gknzcfc.net/style/ADFS8_30.png

 

Give a friendly name " GokMania-Labo Internal Trust " as my exercice.

http://www.gknzcfc.net/style/ADFS8_31.png

 

Choose AD FS profile and click Next

http://www.gknzcfc.net/style/ADFS8_32.png

 

Just click Next.

http://www.gknzcfc.net/style/ADFS8_33.png

 

Choose "Enable support WS-Federation Passive protocol" and give your Web Application with /_trust/ behind.

http://www.gknzcfc.net/style/ADFS8_34.png

 

Provide your URN:

http://www.gknzcfc.net/style/ADFS8_35.png

 

Choose "Permit all users to access this relying party" and click Next

http://www.gknzcfc.net/style/ADFS8_36.png

 

Choose "Close"

http://www.gknzcfc.net/style/ADFS8_37.png

 

Now we are going to edit Claim Rules for our Trust. Click on Add Rule...

http://www.gknzcfc.net/style/ADFS8_38.png

 

Select your template LDAP

http://www.gknzcfc.net/style/ADFS8_39.png

 

And fill the same as shown below.

http://www.gknzcfc.net/style/ADFS8_40.png

 

2 Configure AD FS on SharePoint 2010.

Create a new certificate from AD FS Server and copy it on the SharePoint Server. Lets rename it on GokManiaAdfs.cer:

  • C:\GokManiaAdfs.cer, which is the token signing certificate I copied from my ADFS server

 

Now that I have my certificate, I need to add them to my list of trusted root authorities. I’m going to do that in PowerShell with this script:

 

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\GokManiaAdfs.cer ")

New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert

Next I’m going to create the claim mappings that SharePoint is going to use

 

$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming

Next I’m going to create a variable for the realm that I want SharePoint to use. For this scenario I said I was going to use the realm urn:seo:sharepoint. Here’s the PowerShell to create my realm variable:

 

$realm = "urn:portail.gokmania.local:sharepoint"

Now I’m ready to create my SPTrustedIdentityTokenIssuer. This is where I tie together all of the configuration information so SharePoint knows how to connect and work. I’ll show the PowerShell here and then explain the important parts:

 

$ap = New-SPTrustedIdentityTokenIssuer -Name "SAML Provider" -Description "SharePoint secured by SAML" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$map2 -SignInUrl "https://adfs.gokmania.local/adfs/ls" -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

So now we’ll open up the browser and navigate to Central Administration. Click on the Manage Web Applications link, then click on the web application in the list that’s going to use ADFS to authenticate, then click the Authentication Providers button in the ribbon. Click the link in the dialog that corresponds to the zone in which you are going to use ADFS to authenticate. Scroll down to the Authentication Types section. You can now de-select NTLM, and you should see a new provider called “SAML Provider” in the list of trusted providers.