AD FS Content Map
Subscribe to RSS Feed | Share on Facebook | Send link to a friend |
This Active Directory Federation Services wiki page is intended to act as a content map for all members of the AD FS community. Members of the AD FS product team will occasionally monitor this article and post new links as necessary. We would like to enlist your help in adding useful links to this article in order to make hot AD FS topics and solutions more discoverable to the overall community.
Bookmark this page as: http://aka.ms/adfscontentmap.
Note
Several of the links provided on this page are to community-created content that is external to TechNet Wiki.
The following TOC list can be used to help you quickly jump to the relevant content category that is most applicable to your AD FS documentation needs.
Learn about AD FS 2.0
If you are new to AD FS, we recommend that you review the following announcements, introductory reference links and claims-related details provided in this section to learn more about this technology.
- Active Directory Federation Services v2 Ships! [Video]
- Availability and description of Active Directory Federation Services 2.0
Introduction to AD FS
Overview of AD FS 2.0
- AD FS 2.0 Overview
- AD FS 2.0 SDK Overview
- AD FS 2.0 Technical Overview [Webcast]
- AD FS 2.0 Product Help
- Active Directory Federation Services (ADFS) Wiki Articles
About Claims and Claim Rules
- The Role of Claims
- The Role of Claim Rules
- The Role of the Claim Rule Language
- The Role of the Claims Engine
- The Role of the Claims Pipeline
- Understanding Claim Rule Language in AD FS 2.0
- Using ADFS 2.0 SQL Attribute Store for “advanced” claims
About Claims-Based Identity & Applications
- Claims-Based Identity Overview
- Introduction to Claims-Based Identity and Windows Identity Foundation (WIF) [Video ]
- A Guide to Claims-Based Identity and Access Control
- Claims-Based Identity and Access Control Guide
- Centralizing Application Authorization with AD FS 2.0 [Video]
- Understanding Claims-Based Applications: An Overview of AD FS 2.0 and WIF [Video]
Research AD FS 2.0 Solutions
The following links can help you understand how AD FS 2.0 can work together with other technologies and products (both Microsoft and non-Microsoft) to provide single sign-on capabilities that span multiple boundaries and identity platforms. Note that several links in this section will jump you to community-created content that resides on websites external to the TechNet Wiki.
Integration with Microsoft Cloud Products
- ADFS 2.0 Opens Doors to the Cloud
- SSO Across Organizations and the Cloud - AD FS 2.0 Architecture Drilldown [Video]
Office 365
Windows Azure Applications Platform
- WIF and Windows Azure Applications [Video]
- Single Sign-On from Active Directory to a Windows Azure Application Whitepaper
- Security Talk: Windows Azure Applications and Federated Identity Security Using ADFS 2.0 [Video]
Windows Azure AppFabric Access Control Services (ACS)
- ACS and ADFS [Video]
- Access Control Service and AD FS 2.0 Integration [Video]
- How to use AD FS 2.0 to secure WCF and Workflow Services hosted in Windows Server AppFabric
- Windows Azure AppFabric ACS Content Map
Integration with Microsoft On-Premises Products
- Secure Collaboration with Partners using AD FS [Video]
- Using Active Directory Federation Services 2.0 in Identity Solutions
Active Directory Domain Services (AD DS)
- What's New in AD DS: Authentication Mechanism Assurance
- Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide
Active Directory Rights Management Services (AD RMS)
- Using AD FS with AD RMS
- AD RMS and AD FS Considerations
- AD RMS with AD FS Identity Federation Step-by-Step Guide
Exchange Server 2010
Forefront Identity Manager (FIM)
- Microsoft ADFS 2.0 and Forefront Identity Manager 2010
- ADFS 2.0 Attribute Store for Forefront Identity Manager
Forefront UAG
- Forefront UAG and AD FS 2.0 supported scenarios and prerequisites
- Deploying Forefront UAG with AD FS 2.0
- Secure Application Access by using AD FS and UAG [Videos]
Microsoft Dynamics NAV 2013
Microsoft Dynamics CRM 2011
- Introducing Microsoft Dynamics CRM 2011 Claims-based Authentication [Video]
- Microsoft Dynamics CRM 2011 and Claims-based Authentication [ Download | Read Online ]
- Microsoft Dynamics CRM Survival Guide
SharePoint Server 2007 & Windows SharePoint Services 3.0
- Quick Start: Enabling Federation in a SharePoint Application with AD FS 2.0 as the STS
- Overview of Microsoft Federation Extensions for SharePoint 3.0
- AD FS 2.0 Step-by-Step Guide: How to Set Up the AD FS 2.0 VM Lab Environment for Federated Collaboration [ Download | Read Online ]
- AD FS 2.0 Step-by-Step Guide: Federated Document Collaboration Using Microsoft Office SharePoint Server 2007 [ Download | Read Online ]
SharePoint Foundation 2010
- Configure claims authentication (SharePoint Foundation 2010)
- Configure the security token service (SharePoint Foundation 2010)
- Custom claims providers for People Picker (SharePoint Foundation 2010)
SharePoint Server 2010
- Claims Architecture and Scenarios for SharePoint 2010 Developers
- Collaboration Using Office, SharePoint Server 2010, and AD FS 2.0 [Video]
- SharePoint 2010 and Claims-Based Identity Overview
- Planning Considerations for Claims-Based Authentication in SharePoint 2010
- Configuring SharePoint 2010 and ADFS v2 End to End
- Configuring SharePoint 2010 AAM applications with AD FS 2.0
- Upgrading Federated Applications to SharePoint 2010
- AD FS 2.0 Step-by-Step Guide: Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies [ Download ]
Windows Identity Foundation (WIF)
- WIF Content Map
- AD FS 2.0 Step-by-Step Guide: Federation with a WIF Application [ Download | Read Online ]
- AD FS 2.0 Step-by-Step Guide: Identity Delegation with AD FS 2.0 [ Download | Read Online ]
Interoperability with Non-Microsoft Products
- Federated Single Sign-on to Applications Using Interoperable Standards [Video]
- Identity “Mash-up” Federation Demo using Multiple Protocols [Video]
- Federation Identity Interoperability demo with Geneva Server & Sun Open SSO [Video]
- Geneva Interop Whitepapers
Interop Setup Guidance
- Setting up ADFS 2.0 as an IDP for Visma Proceedo
- How to setup a federation with Automatic Data Processing, Inc (ADP) using ADFS 2.0
- A Quick Walkthrough: Setting up AD FS SAML Federation with a Shibboleth SP
- Using AD FS 2.0 for interoperable SAML 2.0-based federated Web Single Sign-On
- SalesForce SSO with ADFS 2.0 – Everything you need to Know
- Implement Jive federation with AD FS 2.0
- Using a Third-Party Proxy as a Replacement to an AD FS 2.0 Federation Server Proxy
- Using F5 Big-IP as a Replacement to an AD FS 2.0 Federation Server Proxy
Interop Test Lab Step-by-Step Guides
- AD FS 2.0 Step-by-Step Guide: Integration with RSA SecurID in the Extranet [ Read Online ]
- AD FS 2.0 Step-by-Step Guide: Federation with IBM Tivoli Federated Identity Manager [ Download | Read Online ]
- AD FS 2.0 Step-by-Step Guide: Federation with Ping Identity PingFederate [ Download | Read Online ]
- AD FS 2.0 Step-by-Step Guide: Federation with Oracle Identity Federation [ Download | Read Online ]
- AD FS 2.0 Step-by-Step Guide: Federation with CA Federation Manager [ Download | Read Online ]
- AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation [ Download | Read Online ]
- AD FS 2.0 Step-by-Step Guide: Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies [ Download ]
Case Studies
- Quest Software: Systems Manager Offers Security-Enhanced, Hosted Solutions with Programming Framework
- Gestone: Startup Successfully Launches with Highly Scalable, Security-Enhanced Cloud Services
- HCL Technologies: IT Firm Delivers Carbon-Data Management in the Cloud, Lowers Barriers for Customers
- Courts of Denmark: Courts Automate Processes for Citizens, Workers with Federated Identity Solution
- Thomson Reuters: Company to Save Months of Development Time with New Programming Framework
- Province of British Columbia: Government Builds Foundation for Agility with Identity Federation Solution
- Safewhere: Company Cuts Costs $150,000, Speeds Development with Programming Framework
Microsoft IT
- How Microsoft IT Designed and Deployed Active Directory Federation Services [Video]
- How ADFS v2 Helps Microsoft IT to Manage Application Access [Video]
- Microsoft MSIT: Enhancing Federation Services for Internal and External Partners
Versioning
You might also find this versioning and installation information useful:
AD FS 2.0:
- It can be only be installed as a separate downloadable on Windows Server 2008 and Windows Server 2008 R2.
- It CANNOT be added or configured on Windows Server 2008 or Windows Server 2008 R2 via Server Manager as a server role.
- If you add the AD FS server role via Server Manager on Windows Server 2008, it is NOT AD FS 2.0 that you have just added but an earlier version of AD FS.
AD FS in Windows Server 2012: It can be added and configured as a server role via Server Manager in Windows Server 2012.
AD FS in Windows Server 2012 R2: It can be added and configured as a server role via Server Manager in Windows Server 2012 R2.
Design and Deploy AD FS 2.0
The following links can help you get started with planning and deploying a specific AD FS 2.0 design in your production environment.
Plan and Design
- AD FS 2.0 Design Guide
- AD FS 2.0 Capacity Planning
- AD FS 2.0 Capacity Planning Spreadsheet
- ADFS 2.0 High Availability and High Resiliency Walkthrough
- Planning Federation Server Placement
- Planning Federation Server Proxy Placement
- Planning a Migration to AD FS 2.0
- Planning for Interoperability with AD FS 1.x
- AD FS 2.0 and AD FS 1.x Interoperability
- Best Practices for Secure Planning and Deployment of AD FS 2.0
- AD FS 2.0 Requirements
- AD FS 2.0: Guidance for Selecting and Utilizing a Federation Service Name
- Using a Third-Party Proxy as a Replacement to an AD FS 2.0 Federation Server Proxy
Deploy
- AD FS 2.0 Deployment Guide
- AD FS 2.0 - How to Capture A Log During Installation (AdfsSetup.exe)
- AD FS 2.0 - How to manually run the AD FS 2.0 Initial Configuration
- AD FS 2.0 - How to configure the SPN (servicePrincipalName) for the service account
- AD FS 2.0 - How to perform an unattended installation of an AD FS 2.0 STS or Proxy
- Configuring Active Directory Federation Services 2.0
- Course 50412A: Implementing Active Directory Federation Services 2.0
- ADFS 2.0 - Customizing Forms Based Login Page - Notes from the field
Manage AD FS 2.0
The following links can help you understand how to manage and administer an existing AD FS 2.0 deployment.
- Configuring Advanced Options for AD FS 2.0
- Limiting Access to Office 365 Services Based on the Location of the Client
- Supporting Identity Provider Initiated RelayState
- How to restore IIS and clean up Active Directory when you uninstall Active Directory Federation Services 2.0
- AD FS 2.0 - How to Migrate Your AD FS Configuration Database to SQL Server
- Attribute Store Overview (How to create a custom attribute store)
Certificates
- AD FS 2.0: How To Modify The Duration of AutoCertificateRollover Certificates
- AD FS 2.0 - How to enable and immediately use AutoCertificateRollover
- AD FS 2.0 - How to Replace the SSL, Service Communications, Token-Signing, and Token-Decrypting Certificates
- AD FS 2.0 - How to change the ADFS 2.0 service communications certificate after it expires
Federation Server
- AD FS 2.0 - How to set the Primary Federation Server in a WID Farm
- Verify That a Federation Server Is Operational
Federation Server Proxy
- Using a Third-Party Proxy as a Replacement to an AD FS 2.0 Federation Server Proxy
- AD FS 2.0 Proxy Management
- Verify That a Federation Server Proxy Is Operational
Federation Service
- AD FS 2.0 - How to change the Federation Service Name
- AD FS 2.0 - How to Back Up the Federation Service
- Update the AD FS 2.0 Service Identity Password in a Federation Server Farm
- AD FS 2.0 - How to change the net.TCP Ports for Services and Administration
Monitoring
- Configure performance monitoring for AD FS 2.0
- Announcing Active Directory Federation Services 2.0 Management Pack for Microsoft System Center Operations Manager 2007
- Introduction to the AD FS 2.0 Management Pack
Office 365
PowerShell
- AD FS 2.0 Administration with Windows PowerShell
- AD FS 2.0 Cmdlets in Windows PowerShell
- AD FS 2.0 API PowerShell Overview
- AD FS 2.0: How to Automatically Add the AD FS 2.0 Powershell Snap-in When Launching Powershell
Security
Sign-in / Sign-out
- AD FS 2.0: How to use Fiddler Web Debugger to analyze a WS-Federation passive sign-in
- Sign-In Pages Customization Overview
- How to invoke a WS-Federation sign-out
- AD FS 2.0: How to Consume RelayState to Automate Access to Relying Parties During IDP-Initiated Sign-On
- AD FS 2.0: How to request a specific Name ID format from a Claims Provider (CP) during SAML 2.0 Single-Sign-On (SSO)
Trusts
- AD FS 2.0: How to Migrate Claim Rules Between Trusts
- AD FS 2.0: How to Bulk Add Trust Relationships and Claim Rules for Testing
- AD FS 2.0: How to Utilize a Single Relying Party Trust for Multiple Web Applications that Share the Same Identifier
- AD FS 2.0: How to Restore the Default Acceptance Transform Rules for the Active Directory Claims Provider Trust
Troubleshoot AD FS 2.0
This following links can be used to help you locate the cause and resolution to common problems that may occur in your existing AD FS 2.0 infrastructure.
- AD FS 2.0 Troubleshooting Guide
- Things to check before troubleshooting AD FS 2.0
- Diagnostics in AD FS 2.0
- Fiddler Inspector for Federation Messages
- AD FS 2.0: Claims Are Missing From The Output Claim Set After A User's Name Has Changed
Authentication / Authorization
- Troubleshooting token acceptance problems with AD FS 2.0
- AD FS 2.0: ID4149: The Saml2SecurityToken is rejected because the SAML2:Assertion specifies a OneTimeUse condition
- AD FS 2.0: Error Event 323, "MSIS5009: The impersonation authorization failed" and Event 364, "MSIS3126: Access denied"
- AD FS 2.0: Sign-In Fails and Event 364 is Logged Showing Microsoft.IdentityServer.Protocols.Saml.NoAuthenticationContextException: MSIS7012
Browser Client Errors
- Troubleshooting User-Reported Symptoms for AD FS 2.0
- AD FS 2.0 - "An unexpected error has occurred" error or blank page displayed attempting to log on to SharePoint, Event ID 23 logged
- AD FS 2.0 - Prompted for credentials when you are expecting to be allowed anonymous access
- AD FS 2.0 - Continuously prompted for credentials when using FireFox 3.6.3
- AD FS 2.0 - Continuously prompted for credentials while using Fiddler Web Debugger
- AD FS 2.0 - "Script is disabled. Click Submit to continue."
- AD FS 2.0 - "An unexpected error has occurred" Error or Blank Page Displayed Attempting to Log on to SharePoint, Event ID 23 Logged
Certificates
- Troubleshooting certificate problems with AD FS 2.0
- Troubleshooting certificate management problems with AD FS 2.0
- AD FS 2.0 - "ID4037: The key needed to verify the signature could not be resolved from the following security key identifier"
Federation Server Proxy
- Troubleshooting federation server proxy problems with AD FS 2.0
- AD FS 2.0: Federation Server Proxy Servers Fail to Authenticate Users, Events 248 and 996 Logged
Federation Service
- Troubleshooting federation server farm problems with AD FS 2.0
- AD FS 2.0 - The service fails to start. "The service did not respond to the start or control request in a timely fashion. "
- AD FS 2.0 - Query notification delivery failed because of the following error in service broker: 'The conversation handle "{GUID} is not found.'
- AD FS 2.0 - Browsing to Federation Metadata fails "Unable to download federationmetadata.xml"
- AD FS 2.0 - The Admin event log shows Error 111 with System.ArgumentException: ID4216
- AD FS 2.0 - The AD FS 2.0 Windows Service fails to start - Event 102 and 220 logged
- AD FS 2.0: The Service Fails to Start and Error Events 352, 102, and 220 Describing an OperationalFault Are Logged
ForeFront UAG
- Troubleshooting Forefront UAG Federation Metadata Retrieval Errors
- Troubleshoot Forefront UAG with AD FS 2.0 Activation Errors
- Troubleshooting Forefront UAG with AD FS 2.0 Event Viewer Messages
- Forefront UAG Troubleshooting: Event ID 161: The User Name Claim Type Is Missing from the Security Token
Installation / Setup
- AD FS 2.0 setup fails to install PowerShell feature on Windows Server 2008
- AD FS 2.0: Initial configuration fails during "Creating default claim set" and Event ID 37 is logged in AD FS 2.0 Tracing/Debug
Logging / Tracing
- How to Set up AD FS 2.0 event logging
- How to Enable Debug Logging for Active Directory Federation Services 2.0 (AD FS 2.0)
- How to Configure Debug Tracing for AD FS 2.0
- AD FS 2.0: Event ID 47 is Logged in AD FS 2.0 Tracing/Debug with MSIS1022 and ID6008
- CRM 2011: How to Enable Verbose Windows Identity Foundation (WIF) Tracing for Claims-Based Authentication
Office 365
Trusts
- Troubleshooting trust management problems with AD FS 2.0
- AD FS 2.0: The Admin Event Log Contains Error Event 320. "MSIS1010: Signed SAML message must have Destination URI specified."
- AD FS 2.0: "The request specified an Assertion Consumer Service URL that is not configured on the relying party"
QFEs Related to AD FS 2.0
You can use the following links to find the latest AD FS 2.0 hotfixes or QFEs.
- Description of Update Rollup 3 for Active Directory Federation Services (AD FS) 2.0 [Rollup 3 package also contains fixes from Rollup 2 package]
- Description of Update Rollup 2 for Active Directory Federation Services (AD FS) 2.0 [Rollup 2 package also contains fixes from Rollup 1 package]
- Description of Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0
- WIF QFE - AD FS 2.0 does not parse non-string XML attribute values in SAML 2.0 assertions in Windows Server 2008 or in Windows Server 2008 R2
Additional AD FS 2.0 References
Here you will find additional reference links to related developer content, software downloads, and related technologies.
Developer References
- AD FS 2.0 SDK
- AD FS 2.0 SDK Class Library (AD FS 2.0 Object Model)
- WIF SDK [ Download | Read Online ]
- WIF SDK Class Library (WIF Object Model)
Software Downloads
- AD FS 2.0 Software
- AD FS 2.0 Management Pack for Microsoft System Center Operations Manager 2007
- Forefront UAG 2010 SP1 (adds support for AD FS 2.0)
- Microsoft Federation Extensions for SharePoint 3.0 (adds support for AD FS 2.0)
- WIF Software
- WIF Extension for the SAML 2 Protocol (CTP Release)
- Microsoft Office 365 Federation Metadata Update Automation Installation Tool
Related Microsoft Products
- Active Directory Domain Services
- Active Directory Lightweight Directory Services
- Active Directory Rights Management Services
- Active Directory Certificate Services
- Windows PKI
- Windows Identity Foundation (WIF)
- Windows Azure AppFabric ACS
Related Open Standards
- OASIS Standards-SAML and more
- Kantara Initiative (formerly known as the Liberty Alliance)
- Shibboleth - open source for web-based SSO
- Web Service Interoperability and Specifications (WS-*)
- Web Service Interoperability (WS-I) Organization
AD FS 3.0 Resources
With Windows Server 2012 R2 new version of AD FS arrived. Not all details are fully documented but there are a lot of new functionality. And no direct upgrade path.
- AD FS Overview in Windows Server 2012R2
- Introduction to AlternateLoginID Feature
- AD FS Sign-in Page Customization
- Configuring Device Registration
- Web Application Proxy as a replacement for Federation Server Proxy
Community Resources
The following resources can be useful for obtaining AD FS community support and for keeping up with the latest AD FS content updates and news.
Forums
- Claims-Based Access Forum [archive]
- Active Directory Federation Services Forum
- Directory Services Forum
Blogs
- Claims-Based Identity Blog
- AD FS Documentation Blog
- Identity and Access Management
- Security and Identity in the Cloud
- Kim Cameron Identity Blog
- Mike Jones - self-issued
- Vittorio Bertocci
Feeds
Curah
- AD FS on Curah - AD FS TechNet Content Map - the complete TechNet content map of AD FS starting with AD FS 2.0 and up to AD FS in Windows Sever 2012 R2.