Add ADFS as an Identity Provider
If you have Active Directory Federation Services (ADFS) configured, the following steps are necessary to use it as an Identity Provider:
Step 1: Configure a Relying Party Trust in ADFS (not described in this document)
Step 2: Configure Claims for the Relying Party in ADFS (below)
Step 3: Configure an ADFS Provider in Identity Broker
Step 2: Configure Claims for the Relying Party in ADFS
The following Claim Rules must be configured on the Relying Party Trust you created in ADFS for the Identity Broker.
In ADFS, go to the Relying Party Trust for the Identity Broker and select Edit Claim Rules.
The Add Transform Claim Rule Wizard opens.
The configuration steps in this wizard are described below for each of the Claim rules.
 Name ID
Name ID
                                            - In the Choose Rule Type step of the Transform Claim Rule Wizard, select Send LDAP Attributes as Claims.
- In the Configure Claim Rule step:
        		- Specify a Claim rule name, for example NameID.
- For Attribute store, select Active Directory.
- Create the following Mapping of LDAP attributes to outgoing claim types:
        				LDAP Attribute Outgoing Claim Type User-Principal-Name Name ID User-Principal-Name UPN 
 
 Profile information
Profile information
                                            - In the Choose Rule Type step of the Transform Claim Rule Wizard, select Send LDAP Attributes as Claims.
- In the Configure Claim Rule step:
        		- Specify a Claim rule name, for example Profile.
- For Attribute store, select Active Directory.
- Create the following Mapping of LDAP attributes to outgoing claim types:
        LDAP Attribute Outgoing Claim Type Display-Name Name Given-Name Given Name Surname Surname E-Mail-Addresses E-Mail Address 
 
 Groups
Groups
                                            Groups that are sent to Identity Consumers can be filtered.
You can Issue all groups to the Identity Broker and only use filtering in Identity Broker.
You can also Issue a (pre-)filtered set of groups to the Identity Broker, which you can refine in Identity Broker, with a filter on the Identity Provider.
 Option 1: Issue all groups to the Identity Broker
Option 1: Issue all groups to the Identity Broker
                                                    To issue all groups to the Identity Broker, create the following Claim Rule:
- In the Choose Rule Type step of the Transform Claim Rule Wizard, select Send Claims Using a Custom Rule.
- In the Configure Claim Rule step:
        		- Specify a Claim rule name, for example AllGroups.
- For Custom rule, enter:
 c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";tokenGroups(domainQualifiedName);{0}", param = c.Value);
 
This configuration relies fully on the Identity Broker to filter the groups that are sent to Identity Consumers.
 Option 2: Issue a (pre-)filtered set of groups to the Identity Broker
Option 2: Issue a (pre-)filtered set of groups to the Identity Broker
                                                    To configure a filter on the groups that are issued from ADFS to the Identity Broker, multiple Claim Rules must be configured:
 Step 1: Create a Claim Rule to retrieve all groups
Step 1: Create a Claim Rule to retrieve all groups
                                                            - In the Choose Rule Type step of the Transform Claim Rule Wizard, select Send Claims Using a Custom Rule.
- In the Configure Claim Rule step:
        										- Specify a Claim rule name, for example RetrieveAllGroups.
- For Custom rule, enter:
 c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => add(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";tokenGroups(domainQualifiedName);{0}", param = c.Value);
 
This Custom rule is almost identical to the AllGroups rule described above, with the exception of the add command (highlighted in bold)
 Step 2: Create one or more Claim Rule(s) to filter groups
Step 2: Create one or more Claim Rule(s) to filter groups
                                                            - In the Choose Rule Type step of the Transform Claim Rule Wizard, select Send Claims Using a Custom Rule.
- In the Configure Claim Rule step:
        		- Specify a Claim rule name, for example FilterGroups.
- For Custom rule, enter:
 c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value =~ "(?i)^*\\RES.*"]
 => issue(claim = c);
 
- The value (?i)^*\\RES.* in the Custom rule above is an example. Please follow the links for more information about Claim Rule and RegEx syntax.
- You can create multiple 'Filter groups' rules to output the desired set of groups.
 PreWin2000
PreWin2000
                                            - In the Choose Rule Type step of the Transform Claim Rule Wizard, select Transform an Incoming Claim.
- In the Configure Claim Rule step:
        		- Specify a Claim rule name, for example PreWin2000.
- For Incoming claim type, select Windows account name.
- For Outgoing claim type, enter the following URI:
 http://residb.com/identity/claims/preWin2000
- Select the option Pass through all claim values.
 
Step 3: Configure an ADFS Provider in Identity Broker
 Option 1: Configure an ADFS Provider automatically
Option 1: Configure an ADFS Provider automatically
                                            If the Identity Broker can connect to the ADFS endpoint, part of the ADFS Providers configuration can be done automatically.
On the Identity Provider page of the Management Portal, click Add.
- On the New Provider page that opens, at Type, select Active Directory Federation Services.
- Specify the following fields:
        		- Name: Specify a friendly name for the Provider. This name will only be displayed in the Identity Broker Management Portal.
- Caption: Specify a caption for the button that is displayed to users when they select how they want to be authenticated. This selection will only be shown if more than one Identity Provider is configured in Identity Broker.
 See Resulting behavior if configured correctly for more information.If applicable, the selection screen is displayed in between step 3 and 4 of the Authentication sequence. 
- Realm: Specify the Relying party trust identifier you configured for the Identity Broker in the Configure Identifiers step of the Add Relying Party Trust Wizard in ADFS.
- Callback Path: In ADFS, the Relying party WS-Federation Passive protocol URL you configured for the Identity Broker in the Configure URL step of the Add Relying Party Trust Wizard should be https://<Identity Broker host>/identitybroker/ids/<unique identifier>.
 Example:
 https://server.mycompany.com/identitybroker/ids/adfs
 In this example, the value /identitybroker/ids/adfs should be entered for Callback Path.
 Note that the Callback Path starts with a slash (/) and is case-sensitive.The ADFS Authentication Provider redirects to this path in step 7 and 8 of the Authentication sequence. 
- Group/Role filter (optional): Specify an expression that will be used to filter the groups that are returned from the Identity Broker to the Consumer. See Using Group/Role filters for Identity Providers.
- Configure from Metadata Address: Select this option and enter the Metadata Address.
 Example: https://adfsserver.mycompany.com/FederationMetadata/2007-06/FederationMetadata.xml
 
The fields Provider URL, Issuer and Signing Certificate (Public Key) will be configured automatically.
 Option 2: Configure an ADFS Provider manually
Option 2: Configure an ADFS Provider manually
                                            If the Identity Broker cannot connect to the ADFS endpoint, you must enter all configuration manually. It can be helpful to retrieve the FederationMetadata.xml file from the ADFS server, to copy some of the data that is listed in it.
The file is usually located at https://adfsserver.mycompany.com/FederationMetadata/2007-06/FederationMetadata.xml.
To configure an ADFS Provider manually, follow the steps described in Option 1: Configure an ADFS Provider automatically, but do not select the option Configure from Metadata Address and do not enter the Metadata Address.
Continue with specifying the following fields:
- Provider URL: From the metadata.xml file, copy the URL in the Address node at:
 <EntityDescriptor ...>
 <RoleDescriptor>
 <fed:PassiveRequestorEndpoint>
 <EndpointReference>
 <Address>URL</Address>This URL is used in step 4 and 5 of the Authentication sequence. 
- Issuer: From the metadata.xml file, copy the value for entityID= in the EntityDescriptor node.
 Example:
 <EntityDescriptor entityID="Value">
- Signing Certificate (Public Key): From the metadata.xml file, copy the data in the X509Certificate node at:
 <EntityDescriptor ...>
 <ds:Signature>
 <KeyInfo>
 <X509Data>
 <X509Certificate>Data</X509Certificate>