Create Relying party Trusts and Claims from ADFS

Sep 27, 2016 at 1:57 AM


This is the 5th article in the series of "Configuring ADFS Authentication on SharePoint 2016”. In this article I will show you how to setup the relying party trusts between our Claim Provider ADFS and SharePoint using the certificate we exported in our previous article to Export ADFS Certificate from the ADFS Management. Its the way by which ADFS tells that we have a SharePoint system that we want to connect to ADFS.

Below are topics that I am going to cover under this series

In order to establish the relying party trust and claims from ADFS follow the below steps as per the screenshots.

Open the ADFS management

SharePoint-ADFS-Relying-Party-Trust

Navigate to ADFS -> Trust Relationships -> Relying Party Trusts

SharePoint-ADFS-Relying-Party-Trust

Select the ‘Add Relying Party Trust’ option from the Right Panel under Actions. This will launch the wizard to ‘Add relying party trust’

SharePoint-ADFS-Relying-Party-Trust

Click on Start.

SharePoint-ADFS-Relying-Party-Trust

Select the option ‘Enter data about the relying party manually’ and click on Next

Enter the Display Name for the relying party trust as below. Generally I would set the display name as the name of the SharePoint site with the description as the url of that SharePoint site. So it would help to track the relying party for each site individually.

SharePoint-ADFS-Relying-Party-Trust

Click on Next

We will be asked to select the protocol for the ADFS. We will select the SAML 2.0 protocol.

SharePoint-ADFS-Relying-Party-Trust

Click on Next. We will be asked to for the encryption certificate for the secure claims but as our SharePoint site and ADFS is already secured we will just skip this step and click on Next

SharePoint-ADFS-Relying-Party-Trust

SharePoint uses only WS Federation Passive protocol so we will select ‘Enable support for the WS-Federation Protocol ’ option

and specify the SharePoint url under the Relying Party WS Federation Passive protocol URL appended with _trust as show below

SharePoint-ADFS-Relying-Party-Trust

Click on Next. In this screen we have to specify the realm. We would add below as the identifier for realm ‘urn:sharpeoint:dhavalcodessp2016’. And click on Add

SharePoint-ADFS-Relying-Party-Trust

SharePoint-ADFS-Relying-Party-Trust

Click on Next. Select ‘I do not want to configure multi factor authentication settings for this relying party trust at this time’

SharePoint-ADFS-Relying-Party-Trust

Click on Next. We will allow everyone from the active directory to use this setting so select ‘Permit all users to access this relying party’

SharePoint-ADFS-Relying-Party-Trust

Click on Next

SharePoint-ADFS-Relying-Party-Trust

Click on Next.

SharePoint-ADFS-Relying-Party-Trust

Click on Close.

This will open the ‘Edit claims’ window for the current relying party. Based on the claims selected SharePoint will authorize the user.

Configure Claim Rules

Now we have created the relying party trust between SharePoint and ADFS now we have to configure the claims that will be passed from the ADFS to SharePoint

SharePoint-ADFS-Relying-Party-Trust

Click on ‘Add Rule’ and We will select the ‘Send LDAP Attributes as Claims’ option. Click on Next.

SharePoint-ADFS-Relying-Party-Trust

Specfiy the Claim Rule name as 'ADFS Rules' and select Attribute Store as 'Active Directory'

Then select the below mapping for the incoming LDAP Attribute claim and Outgoing Claim type as below in the screenshot

SharePoint-ADFS-Relying-Party-Trust

Click on Finish.

You have successfully  configured from the ADFS to provide claims to SharePoint site and establish the trust between SharePoint and ADFS. In next article we will configure SharePoint to consume ADFS Claims and provide ADFS Authentication.

Found this article by Dhaval Shah valuable? Help by Sharing ...

  • Click on the banners at the top of article or in the right panel to visit my blog's sponsors. They are all hand-picked and are selected based on providing great products and services to the SharePoint community.
  • I’d be very grateful if you’d help it spread by Sharing. Below, you should find links to sharing this article on your favorite social media sites.
Related Posts by Dhaval Shah blog comments powered by Disqus