SharePoint 2010: Install and Configure ADFS for SharePoint 2010 on Windows Server 8
Active Directory Federation Services (AD FS) 2.0 helps simplify access to applications and other systems with an open and interoperable claims-based model. The AD FS 2.0 platform provides a fully redesigned Windows-based Federation Service that supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols. In this article we are going to install it on Windows Server 8! You can find my recent article, how you configure AD FS 2.0 on Windows Server 2008 R2
Download Link
Actually you don't have to download it, but if you need you can download it here: http://www.microsoft.com/en-us/download/details.aspx?id=10909
1 Install and Configure ADFS 2.0 on Server 8
Open the Add Roles and Features Wizard
http://www.gknzcfc.net/style/ADFS8_1.png
Select Role based or feature based installation and click Next
http://www.gknzcfc.net/style/ADFS8_2.png
Select your Server ( Domain Controller ) and click Next
http://www.gknzcfc.net/style/ADFS8_3.png
Select your Role "Active Directory Federation Services"
http://www.gknzcfc.net/style/ADFS8_4.png
It will add features to your role, select "Add Features"
http://www.gknzcfc.net/style/ADFS8_5.png
Select your Features and click Next
http://www.gknzcfc.net/style/ADFS8_6.png
Just click Next
http://www.gknzcfc.net/style/ADFS8_7.png
Select Federation Services and the Agent and click Next
http://www.gknzcfc.net/style/ADFS8_9.png
Again Next
http://www.gknzcfc.net/style/ADFS8_10.png
And click Install
http://www.gknzcfc.net/style/ADFS8_11a.png
The wizard will open the AD FS Welcome screen, click AD FS Federation Services Configuration Wizard
http://www.gknzcfc.net/style/ADFS8_12.png
Select "Create a new Federation Service"
http://www.gknzcfc.net/style/ADFS8_13.png
Create a new server farm
http://www.gknzcfc.net/style/ADFS8_14.png
Be sure, that your server has a certificate. Select it, and click Next
http://www.gknzcfc.net/style/ADFS8_22.png
Provide a Service Account and give the Password.
http://www.gknzcfc.net/style/ADFS8_23.pnghttp://www.gknzcfc.net/style/ADFS8_27.png
The summary screen. Just click Next
http://www.gknzcfc.net/style/ADFS8_24.png
Whe installation finish, close your screen.
http://www.gknzcfc.net/style/ADFS8_26.png
Again when the installation is "ok", you will be returned on the AD FS Welcome screen. Click on "Required: Add a trusted relaying party"
http://www.gknzcfc.net/style/ADFS8_28.png
Select Start
http://www.gknzcfc.net/style/ADFS8_29.png
Choose "Federation data about the relying party manually"
http://www.gknzcfc.net/style/ADFS8_30.png
Give a friendly name " GokMania-Labo Internal Trust " as my exercice.
http://www.gknzcfc.net/style/ADFS8_31.png
Choose AD FS profile and click Next
http://www.gknzcfc.net/style/ADFS8_32.png
Just click Next.
http://www.gknzcfc.net/style/ADFS8_33.png
Choose "Enable support WS-Federation Passive protocol" and give your Web Application with /_trust/ behind.
http://www.gknzcfc.net/style/ADFS8_34.png
Provide your URN:
http://www.gknzcfc.net/style/ADFS8_35.png
Choose "Permit all users to access this relying party" and click Next
http://www.gknzcfc.net/style/ADFS8_36.png
Choose "Close"
http://www.gknzcfc.net/style/ADFS8_37.png
Now we are going to edit Claim Rules for our Trust. Click on Add Rule...
http://www.gknzcfc.net/style/ADFS8_38.png
Select your template LDAP
http://www.gknzcfc.net/style/ADFS8_39.png
And fill the same as shown below.
http://www.gknzcfc.net/style/ADFS8_40.png
2 Configure AD FS on SharePoint 2010.
Create a new certificate from AD FS Server and copy it on the SharePoint Server. Lets rename it on GokManiaAdfs.cer:
- C:\GokManiaAdfs.cer, which is the token signing certificate I copied from my ADFS server
Now that I have my certificate, I need to add them to my list of trusted root authorities. I’m going to do that in PowerShell with this script:
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\GokManiaAdfs.cer ") New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert |
Next I’m going to create the claim mappings that SharePoint is going to use
$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming $map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming |
Next I’m going to create a variable for the realm that I want SharePoint to use. For this scenario I said I was going to use the realm urn:seo:sharepoint. Here’s the PowerShell to create my realm variable:
| $realm = "urn:portail.gokmania.local:sharepoint" |
Now I’m ready to create my SPTrustedIdentityTokenIssuer. This is where I tie together all of the configuration information so SharePoint knows how to connect and work. I’ll show the PowerShell here and then explain the important parts:
| $ap = New-SPTrustedIdentityTokenIssuer -Name "SAML Provider" -Description "SharePoint secured by SAML" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$map2 -SignInUrl "https://adfs.gokmania.local/adfs/ls" -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" |
So now we’ll open up the browser and navigate to Central Administration. Click on the Manage Web Applications link, then click on the web application in the list that’s going to use ADFS to authenticate, then click the Authentication Providers button in the ribbon. Click the link in the dialog that corresponds to the zone in which you are going to use ADFS to authenticate. Scroll down to the Authentication Types section. You can now de-select NTLM, and you should see a new provider called “SAML Provider” in the list of trusted providers.