Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Step-By-Step video: Set up AD FS with SharePoint Server 2010 for SAML authentication


View products that this article applies to.

The following video shows how to set up Active Directory Federation Services (AD FS) with SharePoint Server 2010 for SAML authentication.


↑ Back to the top


Useful notes for the steps

Step 1: Configure Active Directory Federation Services

  • The Federation Services name is an Internet-facing domain name of your AD FS server. The Microsoft Office 365 user will be redirected to this domain for authentication. Make sure that you added a public A record for the domain name.
  • You cannot manually type a name for the Federation service name. This name is determined by the certificate binding to "Default Web Site" in Internet Information Services (IIS). So, you have to bind the new certificate to the default website before you configure AD FS.
  • You can use any account as the service account. If the service account’s password expired, AD FS will stop working. So make sure that the password of the account is set so that it never expires.


Step 2: Add relying party trust to the SharePoint 2010 web application



  • The relying party WS-Federation Passive protocol URL must be in the following format:
    https://<FQDNFQDN>/_trust/
     Do not forget to type the slash character (/) after "_trust."

  • The reply party trust identifier must start with urn:

Step 3: Import the AD FS signing certificate to the SharePoint server



AD FS contains three certificates. Make sure that the certificate that you imported is the "Token-signing" certificate.

Step 4: Configure SharePoint to use AD FS as an SAML identify provider

Scripts for configuring SharePoint 2010 with AD FS
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\adfs.cer”) 

New-SPTrustedRootAuthority -Name “Token Signing Cert“ -Certificate $cert

$map1= New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming

$map2 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName “Role” -SameAsIncoming

$realm = “urn:lg-sp2010”

$signingURL=https://myadfs.contoso.com/adfs/ls ##comment: "myadfs.contoso.com" is the ADFS federation service name.

$SPT = New-SPTrustedIdentityTokenIssuer -Name “My ADFSv2 SAML Provider” -Description “ADFS for SharePoint” -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signingURL -IdentifierClaim “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"


Step 5: Configure user permissions for SAML authentication in SharePoint

  • You have to make sure that the user account has its email address configured in the E-Mail field in Active Directory. Otherwise, the "Access denied" error will be returned from the SharePoint server.

After you add the Federation server name to the local intranet zone in the Internet, NTLM authentication is used when users try to authenticate on the AD FS server. Therefore, they are not prompted to enter their credentials. 

Administrators can implement Group Policy settings to configure a Single Sign-On solution on client computers that are joined to the domain.

↑ Back to the top


FAQ

Q: How can I enable Single Sign-in for client computers so that the user will not be prompted for credentials when the user logs in to the SharePoint website?

A: On the client computer, add the Federation server name to the local intranet zone in the Internet Explorer. After that, NTLM authentication is used when users try to authenticate on the AD FS server, and they are not prompted to enter their credentials. Administrators can implement Group Policy settings to configure local intranet zone on client computers that are joined to the domain.

↑ Back to the top


Keywords: kbsurveynew, kbhowto, kbexpertiseinter, kb

↑ Back to the top

Article Info
Article ID : 3064450
Revision : 1
Created on : 1/7/2017
Published on : 7/28/2015
Exists online : False
Views : 266