Active Directory Federation Service (ADFS) Configuration
Skip this section if the Windows Server has already been configured for Active Directory Federation Services.
ADFS directory should be configured on a customer side.
To configure active directory federation service, please follow these instructions:
Open “Add Roles and Features” wizard in Windows Server and add “Active Directory Federation”.
Click “Configure the federation service on this server”.
On the “Welcome” page in the “Active Directory Federation Services Configuration” wizard, select “And” option for “Federation Server”, and then click the Next button.
Proceed through the wizard. On the “Specify Service Properties” page, select your SSL certificate, enter a Federation Service Name, and then enter a Federation Service Display name. These names may be arbitrary.
Complete the “Active Directory Federation Services Configuration Wizard”. Close the “Add Roles and Features Wizard”.
If you have not created a host yet, please log the Domain Name System for the Federation Server name you specified in Step 4.
To verify the AD FS installation, do the following:
Open Internet Explorer on the ADFS server.
Browse to the URL of the Federation metadata.
Turn on Compatibility View in Internet Explorer (if necessary).
Verify that certificates-related warnings do not appear. If necessary, check the certificate and DNS settings.
Trusted Relying Parties Creation
This step is required to set up the trust relationship between the ADFS and FORM application.
Please complete the following steps:
Open the ADFS 2.0 management console on the Federation Server.
a. Select Trust Relationships option. Click “Relying Party Trusts” and select Add Relying Party Trust option.
b. Use the following settings:
i. Select “Enter Data about the relying party manually” Data Source option.
ii. Specify Display name. Please note, that you can use arbitrary name.
iii. Select ADFS 2.0 profile.
iv. Skip the “Configure certificate” step and do not select a certificate.
v. Enable SAML 2.0 WebSSO protocol support 1. For Relying party SAML 2.0 SSO Service URL use the following: https://yourdomainname.com/Member/UserAccount/SAML2.action
vi. Relying party trust identifiers: Add the Service Provider identifier. Arbitrary name may also be used. Please note, that this name must be sent to WorldAPP in order to configure the FORM installation. Service provider name is the SAML2_SP_NAME configuration parameter (see below).
vii. In “Choose Issuance Authorization Rules” select “Permit All users to access this relying party”.
viii. Review settings.
ix. On the “Finish” step tick the “Open the edit Claims Rules Dialog for this relying party trust when the wizard closes” checkbox.
The “Edit Claims Rules Dialog” will open. Go to the “issuance Transform Rules” tab and click “Add Rule”.
Use the setting below in the “Add Transform Claims Rule” wizard:
a. For “Select Rule Template” select “Send LDAP Attributes as Claims”
b. On “Configure Rule” step: i. Enter Claim Rule Name ii. For “Attribute Store” select “Active Directory” iii. Add the following mapping: LDAP Attribute: User Principal Name> Outgoing Claim Type: Name ID.