We will now expand on what we covered in Part 1 by connecting two farms together via ADFS 2.0. Both of the farms that will be referenced in this article were built using the same steps of Part 1. While it is not critical that you have both farms configured this way, it is strongly encouraged.

For the sake of this demonstration, one of these environments will be the internal farm (LABS); the other will be a partnering company (Contoso). The configuration of the external farm will be very similar to what we have done already. The internal farm (LABS) is where we will begin to focus our efforts.

 

Verify Intra-Server Communications

You can configure SharePoint to trust an external farm the same way as we trusted our internal farm. This configuration will build the trust between the two ADFS 2.0 servers; therefore, eliminating any configurations on our SharePoint 2010 Server. Before you spend any time actually configuring these steps, verify that all of your servers can communicate. I recommend trying the following:

    From Contoso-ADFS, Ping Labs-ADFS.Labs.com

    From Labs-ADFS, Ping Contoso-ADFS.Labs.com

You may need to configure conditional forwarding in DNS to ensure your servers can communicate correctly. If they cannot, your attempts will not be successful.

Configure the External AD FS 2.0 Server

The role of the external AD FS 2.0 server will be played by the Contoso farm. This farm will provide a cast of characters (Mighty Mouse and Mickey Mouse) that will need access to the Labs SharePoint environment. We can do this in a number of ways. The first is to configure SharePoint to trust this external AD FS configuration, much like we did in the first post. Another way is to set up a trust between the AD FS 2.0 server inside LABS.com with the AD FS 2.0 server inside Contoso.com.

The configuration portion of the external AD FS 2.0 server will start under the ‘Trust Relationships’ node inside the AD FS 2.0 Management console. The users that we need to provide to Labs.com reside inside Active Directory, so there shouldn’t be anything to do for the ‘Claims Provider Trusts’.

The Relying Party Trusts (RP) is the destination of the augmented claim. Because we are setting up an AD FS 2.0 to AD FS 2.0 configuration, our new RP will point towards the AD FS 2.0 server inside Labs.com and not the SharePoint site. If you built your Contoso farm similar to the first post, you will end up with two RPs once everything is configured. Start the wizard to add a RP.

Select Data Source

Enter data about the relying party manually

Specify Display Name

LABS AD FS 2.0

Choose Profile

AD FS 2.0 profile

Configure URL

Enable support for the WS-Federation Passive protocol

https://labs-adfs.labs.com/adfs/ls/

Configure Identifiers

Remove ‘https://labs-adfs.labs.com/adfs/ls/’

Add ‘http://labs-adfs.labs.com/adfs/services/trust’

Choose Issuance Authorization Rules

Permit all users to access this relying party

Finish

Check Open the Edit Claim Rules…

Choose Rule Type

Send LDAP Attributes as Claims

Configure Claim Rules

Rule Name: LDAP-Email

Attribute Store: Active Directory

Mapping: E-mail-Address to E-Mail Address

Configure the Internal AD FS 2.0 Server

Select Data Source

Enter claims provider trust data manually

Specify Display Name

Contoso ADFS Server

Choose Profile

AD FS 2.0 profile

Configure URL

Check ‘Enable support for the WS-Federation Passive protocol’

Url: https://contoso-adfs.contoso.com/adfs/ls/

Configure Identifier

http://contoso-adfs.contoso.com/adfs/services/trust

Configure Certificates

Add the ADFS Signing – Contoso-ADFS.contoso.com certificate from the Contoso AD FS Certificate Store (adfssts.contoso.com)

Finish

Ensure Check for ‘Open the Edit Claim Rules …”

Add Rule

Click the ‘Add Rule’ button

Choose Rule Type

Pass Through or Filter an Incoming Claim

Configure Claim Rule

Name: Pass-Through LDAP-Email

Incoming claim type: E-Mail Address

Add Rule

Click the ‘Add Rule’ button

Choose Rule Type

Send LDAP Attributes as Claims

Configure Claim Rule

Claim rule name: LDAP-Email

Attribute Store: Active Directory

Mapping: E-Mail-Addresses -> E-Mail Address

Relying Party Trusts

Select the RP for SharePoint and click ‘Edit Claim Rules…’

Click ‘Add Rule’

Choose Rule Type

Pass Through or Filter an Incoming Claim

Configure Claim Rule

Claim rule name: Pass-Through LDAP-Email

Incoming claim type: E-Mail Address

Pass through all claim values

Contoso ADFS Certificates


Browse LABS site with Contoso User

 

Advertisements

One thought on “Claims Based Authentication: Made Simple – Part 2

  1. Shannon,
    Your guides work perfectly! I found my error, which was only a typo. For the identifiers I initially use: https://labs-adfs.labs.com/adfs/ls/
    and when I entered: http(s)://lab-adfs.labs.com/adfs/services/trust
    I forgot to strip of the ‘s’ from https. It really pays to go through these guides a few times!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s