Step-By-Step video: Set up AD FS with SharePoint Server 2010 for SAML authentication
Useful notes for the steps
Step 1: Configure Active Directory Federation Services
- The Federation Services name is an Internet-facing domain name of your AD FS server. The Microsoft Office 365 user will be redirected to this domain for authentication. Make sure that you added a public A record for the domain name.
- You cannot manually type a name for the Federation service name. This name is determined by the certificate binding to "Default Web Site" in Internet Information Services (IIS). So, you have to bind the new certificate to the default website before you configure AD FS.
- You can use any account as the service account. If the service account’s password expired, AD FS will stop working. So make sure that the password of the account is set so that it never expires.
Step 2: Add relying party trust to the SharePoint 2010 web application
- The relying party WS-Federation Passive protocol URL must be in the following format:https://<FQDNFQDN>/_trust/Do not forget to type the slash character (/) after "_trust."
- The reply party trust identifier must start with urn:.
Step 3: Import the AD FS signing certificate to the SharePoint server
AD FS contains three certificates. Make sure that the certificate that you imported is the "Token-signing" certificate.
Step 4: Configure SharePoint to use AD FS as an SAML identify providerScripts for configuring SharePoint 2010 with AD FS
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\adfs.cer”) New-SPTrustedRootAuthority -Name “Token Signing Cert“ -Certificate $cert $map1= New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming$map2 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName “Role” -SameAsIncoming$realm = “urn:lg-sp2010”$signingURL=https://myadfs.contoso.com/adfs/ls ##comment: "myadfs.contoso.com" is the ADFS federation service name.$SPT = New-SPTrustedIdentityTokenIssuer -Name “My ADFSv2 SAML Provider” -Description “ADFS for SharePoint” -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signingURL -IdentifierClaim “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
Step 5: Configure user permissions for SAML authentication in SharePoint
- You have to make sure that the user account has its email address configured in the E-Mail field in Active Directory. Otherwise, the "Access denied" error will be returned from the SharePoint server.
After you add the Federation server name to the local intranet zone in the Internet, NTLM authentication is used when users try to authenticate on the AD FS server. Therefore, they are not prompted to enter their credentials.
Administrators can implement Group Policy settings to configure a Single Sign-On solution on client computers that are joined to the domain.
A: On the client computer, add the Federation server name to the local intranet zone in the Internet Explorer. After that, NTLM authentication is used when users try to authenticate on the AD FS server, and they are not prompted to enter their credentials. Administrators can implement Group Policy settings to configure local intranet zone on client computers that are joined to the domain.
Article ID: 3064450 - Last Review: 07/28/2015 16:59:00 - Revision: 1.0
- kbsurveynew kbhowto kbexpertiseinter KB3064450