Von Erich Hackspacher
Erich Hackspacher ist langjähriger Mitarbeiter im Microsoft Support (CSS). Seine Erfahrungen hat er in diversen Teams mit teilweise unterschiedlichen Technologien gesammelt. Zur Zeit ist er Mitglied des EMEA-weiten UAG Teams. In diesem Blog zitieren wir in zwei Kapiteln aus dem Whitepaper “How to configure UAG and ADFS to use ADFS 2.0 for Authentication and Authorization within UAG Portal and Published Applications” – Teil 1 finden Sie ebenfalls auf diesem Blog
To allow users access from a Partner organization, following additional steps are required:
AD FS 2.0 installation:
1. Configure a Trust on the Resource AD FS with the Partner‘s AD FS 2.0
2. Configure the Resource‘s AD FS as Relying Party on the Partner‘s AD FS
3. Configure Claim rules
We consider that the AD FS 2.0 Server has already been installed and configured the Federation Server on the Partners organization and will skip this step (already been mentioned once before)
The next step would be to configure a Trust on the Resource AD FS with the Partner‘s AD FS 2.0:
– On Paris, launch the AD FS 2.0 Management console, then access AD FS 2.0 | Trust Relationships | Claim Provider Trust
– In the right pane, click Add Claim Provider Trust to open the Add Claim Provider Trust Wizard, then click Start
– On the Select Data Source page, select the first option.
Here you need to enter the Address of the Partner’s Metadata Address ( needs to point to the Treyengineering’s AD FS Metadata)
In the step Ready to Add Trust you can see the claim types the claim provider publishes as offered claim types in the federation metadata:
Next step is to configure the Relying Party Trust on the Partners AD FS. This procedure is the same as we already have done when configuring UAG as a Relying Party. The only thing that is different now is the Address of the Relying Party‘s Metadata ( needs to point to the Woodgrovebank‘s AD FS Metadata):
Following the instructions within the wizard, under the Ready to Add Trust we see the claim types the Relying Party publishes as accepted claim types in federation metadata:
The last steps are to set up the corresponding Claim Rules
1. On the Paris computer, on the Start menu, click Administrative Tools, and then click AD FS 2.0 Management
2. In the left pane, expand Trust Relationships, and then select Relying Party Trust
3. In the middle pane, select Woodgrove Bank Domain,
4. In the right pane , click Edit Claim rules
5. Configure a claim rule which maps the user's mail address to a claim named E-Mail Address, and also maps the user's group membership to a Role claim
In this task you will create on the WoodgroveBank AD FS server a transform incoming claim rule, in order to map the incoming claims from the TreyEngineering organization. This will allow the WoodgroveBank AD FS server and then the UAG server to authenticate employees of the partner TreyEngineering organization:
1. On the Resource AD FS computer, on the Start menu, click Administrative Tools, and then click AD FS 2.0 Management
2. In the left pane, expand Trust Relationships, and then select Claims Provider Trust
3. In the middle pane, right-click Trey Engineering Domain, and then click Edit Claim Rules. We will configure 2 rules:
- One that maps the incoming E-mail Address claim, sent by the TreyEngineering claims provider, to the same type of claim – E-mail address – but only if the incoming address is ending with @treyengineering.net.
- One that transforms the incoming E-mail Address claim to the type of claim – UPN
Baier, D., Bertocci, V., Brown, K., Pace, E., & Woloski, M. (2010). Guide to Claims-Based Identity and Access Control.
Ben-Ari, E., & Dolev, R. (2011). Microsoft Forefront UAG 2010 Administrator's Handbook. Packt Publishing.
Technet. (n.d.). The Role of Claims. Retrieved from http://technet.microsoft.com/en-us/library/ee913589(v=ws.10).aspx
Wikipedia. (n.d.). Security Assertion Markup Language. Retrieved from http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language