ADFS 3.0 Configuration for SSO

This document assumes that the ADFS 3.0 software component is properly configured in the Active Directory domain.

Exchange XML Metadata Files

1. Locate your ADFS XML metadata. This information can be found at this address: https://[SERVER_FQDN]/FederationMetadata/2007-06/FederationMetadata.xml
2. Download the XML file, or copy and paste the text into a text document, and send this to MIE.
3. MIE will send back an XML metadata file. Save this file on the ADFS server and be sure the file extension is XML.

Add Relying Party Trust

1. On the ADFS server, open the Server Manager.

2. Click Tools, and select AD FS Management

   

3. In the AD FS Management MMC, expand AD FS and Trust Relationships.

4. Click on Add Relying Party Trust in the right pane (or from the context [right-click] menu on the folder tree).

   

5. Click Start.

   

6. Select Import data about the relying party from a file.

7. Browse to and select the XML document that was provided by MIE.

8. Click Next.

   

9. Give the Relying Party a proper name and description, and then click Next.

10. Leave this set to I do not want to configure multi-factor authentication settings…

11. Click Next.

    

12. Leave this set to Permit all users to access this relying party, and then click Next.

    

13. Click Next - Do not change any settings on this page.

    

Edit Claim Rules

1. In the AD FS MMC, expand the Trust Relationships and click on Relying Parties Trusts.

2. Right-click the new Relying Party that was just created, and select Edit Claim Rules…

   

3. Click Add Rule…

4. Select Send LDAP Attributes as Claims from the dropdown list.

5. Click Next.

   

6. In the Claim rule name field enter Get LDAP Attributes.

7. For the Attribute store field, select Active Directory from the drop down list.

8. In the mapping table, select E-Mail-Addresses from the dropdown list under LDAP Attribute (Select type…).

9. Select E-Mail Address from the dropdown list under the Outgoing Claim Type…

10. Click Finish.

    

11. Click Add Rule…, again.

12. Select Transform an Incoming Claim from the Claim rule template dropdown list.

13. Click Next.

    

14. Name the Claim rule Email to Name ID.

15. Select E-Mail Address from the Incoming claim type dropdown list.

16. Select Name ID from the Outgoing claim type dropdown list.

17. Select Email from the Outgoing name ID format dropdown list.

18. Click Finish.

    

19. Click OK.

    

Set Relying Partying SAML Logout Endpoint & Secure Hash Algorithm

1. In the AD FS MMC, expand the Trust Relationships and click on Relying Parties Trusts.

2. Double-click the new Relying Party Trust (or right-click and select Properties).

3. Click the Endpoints tab.

4. Click Add SAML…

5. Select SAML Logout from the Endpoint type dropdown menu.

6. Make sure that POST is selected from the Binding drop down menu.

7. Enter the ADFS server sign-out URL in the Trusted URL field. The default URL is: https://[SERVER_FQDN]/adfs/ls/?wa=wsignout1.0

8. Click OK to close the Add an Endpoint window.

   

Configure AD Access Groups (Optional)

1. In the AD FS MMC, expand the Trust Relationships and click on Relying Parties Trusts.

2. Right-click the new Relying Party just created, and select Edit Claim Rules…

3. Click the Issuance Authorization Rule tab.

4. Click Add Rule…

   

5. Select Permit or Deny Users Based on Incoming Claim from the dropdown list.

   

6. Enter a claim rule name.

7. Select the appropriate criteria from the Incoming claim type drop down list. In this example, we are basing it on AD group.

   

Restart the ADFS Service

1. On your ADFS server, open the Server Manager.

2. Click Tools, and select Services.

   

3. Right-click the Active Directory Federation Services service.

4. Click Restart.

   

Customize ADFS User Sign-in Page (Optional)

Options for changing the way your user sign-in page looks and behaves can be found here:
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-user-sign-in-customization