Step-By-Step video: Set up AD FS with SharePoint Server 2010 for SAML authentication

The following video shows how to set up Active Directory Federation Services (AD FS) with SharePoint Server 2010 for SAML authentication.


Useful notes for the steps

Step 1: Configure Active Directory Federation Services

  • The Federation Services name is an Internet-facing domain name of your AD FS server. The Microsoft Office 365 user will be redirected to this domain for authentication. Make sure that you added a public A record for the domain name.
  • You cannot manually type a name for the Federation service name. This name is determined by the certificate binding to "Default Web Site" in Internet Information Services (IIS). So, you have to bind the new certificate to the default website before you configure AD FS.
  • You can use any account as the service account. If the service account’s password expired, AD FS will stop working. So make sure that the password of the account is set so that it never expires.


Step 2: Add relying party trust to the SharePoint 2010 web application



  • The relying party WS-Federation Passive protocol URL must be in the following format:
    https://<FQDNFQDN>/_trust/
     Do not forget to type the slash character (/) after "_trust."

  • The reply party trust identifier must start with urn:

Step 3: Import the AD FS signing certificate to the SharePoint server



AD FS contains three certificates. Make sure that the certificate that you imported is the "Token-signing" certificate.

Step 4: Configure SharePoint to use AD FS as an SAML identify provider

Scripts for configuring SharePoint 2010 with AD FS
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\adfs.cer”) New-SPTrustedRootAuthority -Name “Token Signing Cert“ -Certificate $cert $map1= New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming$map2 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName “Role” -SameAsIncoming$realm = “urn:lg-sp2010”$signingURL=https://myadfs.contoso.com/adfs/ls ##comment: "myadfs.contoso.com" is the ADFS federation service name.$SPT = New-SPTrustedIdentityTokenIssuer -Name “My ADFSv2 SAML Provider” -Description “ADFS for SharePoint” -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signingURL -IdentifierClaim “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"


Step 5: Configure user permissions for SAML authentication in SharePoint

  • You have to make sure that the user account has its email address configured in the E-Mail field in Active Directory. Otherwise, the "Access denied" error will be returned from the SharePoint server.

After you add the Federation server name to the local intranet zone in the Internet, NTLM authentication is used when users try to authenticate on the AD FS server. Therefore, they are not prompted to enter their credentials. 

Administrators can implement Group Policy settings to configure a Single Sign-On solution on client computers that are joined to the domain.

FAQ
Q: How can I enable Single Sign-in for client computers so that the user will not be prompted for credentials when the user logs in to the SharePoint website?

A: On the client computer, add the Federation server name to the local intranet zone in the Internet Explorer. After that, NTLM authentication is used when users try to authenticate on the AD FS server, and they are not prompted to enter their credentials. Administrators can implement Group Policy settings to configure local intranet zone on client computers that are joined to the domain.

Properties

Article ID: 3064450 - Last Review: 07/28/2015 16:59:00 - Revision: 1.0

Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 Foundation, Windows Server 2008 Standard, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Foundation, Windows Server 2008 R2 Standard

  • kbsurveynew kbhowto kbexpertiseinter KB3064450
Feedback