This is the 5th article in the series of "Configuring ADFS Authentication on SharePoint 2016”. In this article I will show you how to setup the relying party trusts between our Claim Provider ADFS and SharePoint using the certificate we exported in our previous article to Export ADFS Certificate from the ADFS Management. Its the way by which ADFS tells that we have a SharePoint system that we want to connect to ADFS.
Below are topics that I am going to cover under this series
- About ADFS Authentication and SharePoint
- Configure SharePoint Site to use SSL and HTTPS
- Install And Configure Active Directory Federation Services(ADFS)
- Export ADFS Certificate from the ADFS Management
- Create Relying party Trusts and Claims from ADFS
- Configure SharePoint to use ADFS Authentication
- Custom Login Page for SharePoint Authentication
In order to establish the relying party trust and claims from ADFS follow the below steps as per the screenshots.
Open the ADFS management
Navigate to ADFS -> Trust Relationships -> Relying Party Trusts
Select the ‘Add Relying Party Trust’ option from the Right Panel under Actions. This will launch the wizard to ‘Add relying party trust’
Click on Start.
Select the option ‘Enter data about the relying party manually’ and click on Next
Enter the Display Name for the relying party trust as below. Generally I would set the display name as the name of the SharePoint site with the description as the url of that SharePoint site. So it would help to track the relying party for each site individually.
Click on Next
We will be asked to select the protocol for the ADFS. We will select the SAML 2.0 protocol.
Click on Next. We will be asked to for the encryption certificate for the secure claims but as our SharePoint site and ADFS is already secured we will just skip this step and click on Next
SharePoint uses only WS Federation Passive protocol so we will select ‘Enable support for the WS-Federation Protocol ’ option
and specify the SharePoint url under the Relying Party WS Federation Passive protocol URL appended with _trust as show below
Click on Next. In this screen we have to specify the realm. We would add below as the identifier for realm ‘urn:sharpeoint:dhavalcodessp2016’. And click on Add
Click on Next. Select ‘I do not want to configure multi factor authentication settings for this relying party trust at this time’
Click on Next. We will allow everyone from the active directory to use this setting so select ‘Permit all users to access this relying party’
Click on Next
Click on Next.
Click on Close.
This will open the ‘Edit claims’ window for the current relying party. Based on the claims selected SharePoint will authorize the user.
Configure Claim Rules
Now we have created the relying party trust between SharePoint and ADFS now we have to configure the claims that will be passed from the ADFS to SharePoint
Click on ‘Add Rule’ and We will select the ‘Send LDAP Attributes as Claims’ option. Click on Next.
Specfiy the Claim Rule name as 'ADFS Rules' and select Attribute Store as 'Active Directory'
Then select the below mapping for the incoming LDAP Attribute claim and Outgoing Claim type as below in the screenshot
Click on Finish.
You have successfully configured from the ADFS to provide claims to SharePoint site and establish the trust between SharePoint and ADFS. In next article we will configure SharePoint to consume ADFS Claims and provide ADFS Authentication.