This article will go through the ADFS 3.0 configuration guide.
AD, ADFS 3.0 installed (Use Federation Server while installing ADFS)
1. Open AD FS Management and select ‘Add Relying Party Trust…’
2. You are greeted with a Welcome page. Press ‘Start’. The ‘Select Data Source’ menu appears. Select the first option ‘Import data about the relying party published online’. Provide the following Federation metadata address and press next. (This is NOT an example URL you must enter this exactly!)
2b. (Skip this part if online import was successful) There might be an error message here saying that an error occurred during the attempt to read the federation metadata. When this happens you will need to manually obtain the Federation Metadata XML. The best way to do this, is to open a browser, navigate to the same URL and save the file as an XML. When the file is saved on your server you can manually import it using the second option in this same menu.
3. Add your desired display name and notes and press next. If you don’t want to configure multi-factor authentication press next again. In Authorization Rules screen, make sure ‘Permit all users to access this relying party’ is chosen.
4. After this your party is ready to be added. Press ‘Next’ again and then click on ‘Finish’
5. Right click the newly added Relaying Party Trust and select ‘Properties’.
6. Under the Monitoring menu, you need to untick the monitor relying party option. After that, select the ‘Encryption’ menu and remove the certificate.
7. Under the Advanced menu, change the secure hash algorithm to ‘SHA-1’. This is an important step and cannot be skipped.
8. Now we need to add the proper configuration so that email addresses gets passed to the extauth service properly. These steps have changed significantly from the previous ADFS 2.0 configuration setup.
- Go to ADFS - Relying Party Trusts. Select the newly added trust and click "Edit Claim Rules..." in the right sidebar.
9. Click "Add Rule..." in the window and set the claim rule to "Send LDAP Attributes as Claims"
10. Name it "email-to-email" and select the 'Active Directory' as Attribute Store. Select the LDAP Attribute "Email-Addresses" and select the outgoing claim type 'E-mail address'. (Yes, both column should have email address). Press Finish.
11. Click "Add Rule..." in the window again and set this claim rule to "Transform an incoming claim"
12. Next, name it and then set incoming claim type to 'Email address', outgoing claim type to 'Name ID' and outgoing name ID format to 'email'.
13. Press ‘Finish’ and after that you should have these two rules and you are done! Login to your portal should now work with your ADFS 3.0 setup!
Configuring your IBM Watson Media account with ADFS 3.0
Setup your account security settings from this page: https://video.ibm.com/dashboard/integrations/security
- Entity ID: https://[Your-ADFS-Server-URL]/adfs/services/trust (your ADFS entity id)
- Certificate: Certificate data from your ADFS metadata XML
- It can be found here on your server: (https://[Your-ADFS-Server-URL]/FederationMetadata/2007-06/FederationMetadata.xml)
- Login URL: https://[Your-ADFS-Server-URL]/adfs/ls/
- Logout URL: https://[Your-ADFS-Server-URL]/adfs/ls/