Microsoft's official enterprise support blog for AD DS and more
Hey all, Rob Greene here again. We have been getting calls recently on how to use ADFS 2.0 to federate with ADP, so today I explain how.
Disclaimer: If you have problems with connecting to ADP, your first call should be to them. If after talking with ADP you need further assistance you then open a case with Microsoft Support. The AskDS blog cannot troubleshoot connectivity between ADP and ADFS; it requires data and access to your network. This post is a friendly attempt to save you from contacting the support lines as your first option.
Note: The information given is from working with customers setting up a federated trust with ADP and as of this writing it is accurate. This post is not going to discuss how to install ADFS 2.0 or discuss any design decisions around ADFS. If you need this type of information, please visit here.
You need two certificates from a Public Certification Authority (not your internal CA).
You could use one certificate for both purposes; however, the best practice is to use two different certificates, in case one of them is compromised. Once you get the certificates issued, you can review the following WIKI content on the steps that are required so that AD FS 2.0 uses these new certificates.
The next step is to contact ADP. They need the public certificate for your Token-Signing certificate. Follow the below steps to export the public certificate on the ADFS Server:
Configuring Relying Party Trust information:
ADP uses RelayState information to direct users to their different applications but ADFS 2.0 does not support that protocol binding. Let ADP know that you are using ADFS, and they will modify some settings on their end to get things working.
Now let’s get to the actual configuration steps.
You should now see a dialog box to add Claim rules to the “ADP Trust” relying party that we just configured. There are two claims that need configuration before sending to ADP: PersonImmutableID, and NameID. The next steps show you how to configure them. Please keep in mind that with any federation configuration, case sensitivity is critical. Please make sure to use the matching case when configuring the claim names.
Configuring PersonImmutableID claim:
Configuring NameID claim:
Since we have configured this as a SAML assertion we can use the LoginToRP feature with the IDPIntitiatedSignon page to get the users signed into ADFS and then redirect them to ADP. Here is an example of this assuming that the ADFS server name is adfs.fabrikam.com. The URL would be:
Now you are ready to begin testing connectivity with ADP. I hope this blog helps making federating with ADP a lot easier.
Rob “Fuzzy” Greene