Step-By-Step video: Set up AD FS with SharePoint Server 2010 for SAML authentication

Step 1: Configure Active Directory Federation Services

• The Federation Services name is an Internet-facing domain name of your AD FS server. The Microsoft Office 365 user will be redirected to this domain for authentication. Make sure that you added a public A record for the domain name.
• You cannot manually type a name for the Federation service name. This name is determined by the certificate binding to "Default Web Site" in Internet Information Services (IIS). So, you have to bind the new certificate to the default website before you configure AD FS.
• You can use any account as the service account. If the service account’s password expired, AD FS will stop working. So make sure that the password of the account is set so that it never expires.
  
  
  

Step 2: Add relying party trust to the SharePoint 2010 web application

• The relying party WS-Federation Passive protocol URL must be in the following format:
  https://<FQDNFQDN>/_trust/
   Do not forget to type the slash character (/) after "_trust."
  
  
• The reply party trust identifier must start with urn:. 

Step 3: Import the AD FS signing certificate to the SharePoint server

Step 4: Configure SharePoint to use AD FS as an SAML identify provider

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\adfs.cer”) 

New-SPTrustedRootAuthority -Name “Token Signing Cert“ -Certificate $cert 

$map1= New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming

$map2 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName “Role” -SameAsIncoming

$realm = “urn:lg-sp2010”

$signingURL=https://myadfs.contoso.com/adfs/ls ##comment: "myadfs.contoso.com" is the ADFS federation service name.

$SPT = New-SPTrustedIdentityTokenIssuer -Name “My ADFSv2 SAML Provider” -Description “ADFS for SharePoint” -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signingURL -IdentifierClaim “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

Step 5: Configure user permissions for SAML authentication in SharePoint

• You have to make sure that the user account has its email address configured in the E-Mail field in Active Directory. Otherwise, the "Access denied" error will be returned from the SharePoint server.