This article describes how an organization can set up SSO on ADFS using the SAML2 protocol by adding a new relying party trust to the Federation Service.
Prerequisites
|
Manual Setup
If you wish to create the Relying party by using the ADFS Management to manually configure the settings, perform the procedure here on a federation server. Use the Templafy metadata in the table below.
Using Powershell
The Add-AdfsRelyingPartyTrust cmdlet adds a new relying party trust to the Federation Service. You can specify a relying party trust manually, or you can provide a federation metadata document to bootstrap initial configuration. Templafy metadata can be found below.
Add-ADFSRelyingPartyTrust -Name "Templafy" -MetadataURL "Paste Metadata URL from the below table"
Templafy Metadata
- Once the relying party has been set up, provide the
metadata.xmlfile to your Templafy Implementation Partner.
ADFS Claim Setup
The following will send all ADFS-supported claims to Templafy, including all Membership Groups.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ( "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone", "http://schemas.templafy.com/2016/06/identity/claims/department", "http://schemas.templafy.com/2016/06/identity/claims/city", "http://schemas.templafy.com/2016/06/identity/claims/jobtitle", "http://schemas.templafy.com/2016/06/identity/claims/facsimilenumber", "http://schemas.templafy.com/2016/06/identity/claims/phonenumber","http://schemas.templafy.com/2016/06/identity/claims/displayname", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";mail,userPrincipalName,mail,givenName,sn,postalCode,st,co,mobile,department,l,title,facsimileTelephoneNumber,telephoneNumber,displayname,tokenGroups ;{0}", param = c.Value);
- Additional custom claims may also be configured within the SAML2 protocol.
NoteReview the snippet to ensure the claims match the respective attributes in your ADFS. |
ADFS Example Settings - Windows Server 2012 R2
Below are examples of a Windows Server 2012 with Templafy configured as a Relying Party Trust.
- Federation Service properties
- Trust Relationships - Monitoring
NoteIf your ADFS server does not support TLS 1.2, you won't be able to Test the URL. |
- Trust Relationships - Identifiers
- Trust Relationships - Encryption
- Trust Relationships - Signature
- Trust Relationships - Endpoints
- Trust Relationships - Advanced / Hash algorithm
- Trust Relationships - Claim Rules
- Trust Relationships - Basic Claim Rules (LDAP attribute)
-
Trust Relationships - Custom Claim Rules (Custom Rule Language)
- Trust Relationships - Issuance Authorization Rules
Error: "401: Server Error" or Login Screen Popup
If you see one of the below images, the ADFS connection between your organization and Templafy is configured incorrectly.
 |
 |
Solution
Add "https://sts.yourdomain.com" as a Trusted Local Intranet site in Internet Options on the local machines that are experiencing the issue.
To add via GPO:
- Open Group Policy Editor.
- Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel -> Security Page.
- Open Site to zone Assignment List.
- Change the setting to Enabled.
- Click Show.
- Add "https://sts.yourdomain.com" or "https://*.yourdomain.com" and set Value to 1.
- Click Ok.
Comments
Article is closed for comments.