Now that we have our domains in order, our FS installed and our certificates out of the way, let's configure the Federation Services.
STEP 4: FS - Configuring the Federation Servers (Account domain)
To set up the Federarion Services in a domain, you need to perform three steps: trust policy, group claim & infamous account store configuration.
A) Trust policy configuration
1. Open the Active Directory Federation Services and open the Properties of the Trust Policy
2. In the Federation Service URI, type urn:federation:
3. In the Federation Service URL, type https://
4. Then add a name in the Display Name tab
B) Creating the group claim for the claims-aware application
1. Open the Active Directory Federation Services and browse to Trust Policy --> My Organization --> Organization Claims and create a new Organization Claim.
2. Enter a name and make sure the Group Claim is selected.
C) Creating the AD DS account store
1. Open the Active Directory Federation Services and browse to Trust Policy --> My Organization --> Account Stores and create a new Account Store.
2. In the wizard, choose for Active Directory Domain Services and make sure the account store is enabled
3. Now the Active Directory object has appeared, which we right click and choose to add a new Group Claim Extraction
4. Enter the name of the security group to which you want to map the account store.
That's it, now we are going do the same for the resource domain. See my next (and last) post on this topic.
Federation Services setup posts:
1. Setting up Federation Services (FS) in a Windows 2008 (WS08) environment: Part 1: Overview and installation
2. Setting up Federation Services (FS) in a Windows 2008 (WS08) environment: Part 2: Configure IIS to use SSL on the FS servers
3. Setting up Federation Services (FS) in a Windows 2008 (WS08) environment: Part 3: Configure the FS certificates
5. Setting up Federation Services (FS) in a Windows 2008 (WS08) environment: Part 5: Configuring the FS server in the Resource domain
6. Setting up Federation Services (FS) in a Windows 2008 (WS08) environment: Part 6: Creating the federation trust on both sides
1 comment:
This is a nice series of posts. I am definitely bookmarking this. I work for a Windows hosting company, and our customers are always looking for a way to use their AD credentials in our environment.
-EDP
Post a Comment