DC 5.1.0 Configure ADFS on Windows Server 2012 R2
- Magnus Frank
- Morten Boisen
1 Prerequisites:
- Administrative Privileges
- Service Account for ADFS integration
- Certificate for the federation service eg. fs.mydomain.com
- Windows Server 2012 R2
- Server where ADFS is installed must be joined to a domain
- IIS Feature should be present on the server
2 Adding ADFS Feature to Windows
In the Server Manager, select: Manage / Add Roles and Features.
Press Next.
Select Role-based or feature-based installation and press Next.
Press Next.
Select Active Directory Federation Services and press Next.
Press Next.
Press Next.
Press Install.
Press Close.
3 Configuring ADFS Feature
In the Server Manager, select Post-deployment Configuration.
Select Create the first federation server in a federation server farm and press Next.
If current user does not have sufficient rights, press Change and select a administrative User, otherwise just press Next.
Press Import to import Certificate.
Select the certificate pfx file and press Open.
Fill password for pfx file (if any).
Fill Federation Service Display Name, and press Next.
Select Service Account for ADFS service and specify password or create one and press Next.
Select Create a database on this server using Windows Internal Database, and press Next.
Review options and press Next.
Press Configure.
Press Close.
4 Configure Trust Relations
In the Server Manager, select Tools / ADFS Management
Expand Trust Relationships in the tree, right click on Relying Party Trusts and press Add Relying Party Trust…
Press Start.
Select Enter data about the relying party manually and press Next.
Enter Display Name eg; "dam.digizuiteADFS.com" and press Next.
Select ADFS profile and press Next.
Press Next.
Select Enable support for the WS-Federation Passive protocol. Fill Relying party WS-Federation Passive Protocol URL.(It must be https and the URL must end with "/"). Now press Next.
Press Next.
Press Next.
Select Permit all users to access this relying party, and press Next.
Press "Next"
Press Close.
5 Add Claim Rules
Right click on the Relying Trust, and select Edit Claim Rules.
Press Add Rule.
Select Pass Through or Filter an Incomming Claim and press Next.
- Name Claim rule
- Select incoming claim type Name
- Select Pass through all claim values
Important!
Name claim is required, ADFS integration will fail if this is not configured correctly.
Press Finish.
- Repeat Previous steps for the Claim Types;
- E-Mail Address
- Given Name
- Surname
Press Add Rule.
Select Send LDAP Attributes as Claims and press Next.
- Name Claim Rule
- Select Active Directory as Attribute store
- Select Token-Groups as SIDs as LDAP Attribute
- Select Group SID as Outgoing Claim Type
Press Finish.
Press Add Rule.
Select Send LDAP Attributes as Claims and press Next.
- Name Claim Rule
- Select Active Directory as Attribute store
- Select Token-Groups - Qualified by Domain Name as LDAP Attribute
- Select Group as Outgoing Claim Type
Press Finish.
6 Ensure that the SSL Certificates are trusted by Clients.
The certificates used in ADFS needs to be trusted by the client machines.
See: https://technet.microsoft.com/en-us/library/dd807040(v=ws.11).aspx and
7 Obtaining Token signing and token decryption certificates
In order to allow the DAM center to communicate two certificates are needed.
Table of Contents