Skip to content

Managing ADFS Server

This section explains the ADFS Server Management. Adding Relying Party Trusts establishes a secure trust relationship between the ADFS server and external applications. This allows ADFS to authenticate users and issue claims (user identity information) to the relying party, thereby securing access to the application.

Adding Relying Party Trusts on the ADFS Server

This section provides the steps for adding Relying Party Trusts on an ADFS server to enable secure authentication.

Note

To log in as a new tenant, you must first add Relying Party Trusts in ADFS.

  1. Download tenant SAML metadata.

    Note: Before adding Relying Party Trusts on the ADFS server, download the tenant's metadata first using the following link (replace tenantname with the actual value): https://tenantname.uiam.pvt-rancher.mdsp.local/saml/metadata

  2. Open "Server Manager" on your Windows Server, click "Dashboard" from the left navigation.

    1. Click "Tools" in the top right corner and select "AD FS Management".
    2. Open AD FS management on the AD FS server.

    AD FS Management

  3. In the AD FS main screen, navigate to "Relying Party Trusts" and select "Add Relying Party Trust".

    Add Relying party

  4. Click "Start" from the "Welcome" step.

    Start

  5. In the "Select Data Source" step, choose "Import data about the relying party from a file" option, click "Browse" and import the SAML metadata file downloaded in Step 1.

    Import data

  6. Click "Next". If a warning box appears, ignore it and click "OK".

    Fedration

  7. Enter the desired "Display name".

    Display Name

  8. Click "Next" and continue the steps until the trust is successfully created.

    Ready add trust

  9. Select and right-click on the newly added trust item and select "Edit Claim Rules".

    Edit Claim Rules

  10. In the "Edit Claim Rules" wizard, click "Add Rule".

    Add Rule

  11. Select "Send LDAP Attributes as Claims" as the template and click "Next".

    Send LDAP Attributes as Claims

  12. In the "Configure Claim Rule" step, update the following:

    1. Set "Attribute store" to "Active Directory" from the dropdown menu.
    2. Set "LDAP Attribute" to E-Mail-Addresses and "Outgoing Claim Type" to E-Mail Address.
    3. Click "Finish". The first rule is added successfully.

    LDAP email

  13. Add another rule by performing the following:

    Select "Transform an Incoming Claim" as the template and click "Next".

    Transform an Incoming Claim

  14. In the "Configure Claim Rule" step, update the following:

    1. Specify the "Claim rule name" as "Email Transform".
    2. Select "Incoming claim type" as "E-Mail Address", "Outgoing claim type" as "Name ID" and "Outgoing name ID format" as "Email".
    3. Choose "Pass through all claim values".
    4. Click "Finish". The second rule is added successfully.

    Configure rule

    The both rules are added successfully.

    Transform rules

  15. Right-click on the newly added trust item and select "Properties" from the drop-down menu.

    Properties

  16. In the "SAML Logout Endpoints" section, delete one of the two URLs.

    SAML Logout Endpoints

  17. Edit the remaining endpoint and update the "Trusted URL" request path to /adfs/ls/?wa=wsignout1.0 and click "OK".

    For example: https://optcock.uiam.pvt-rancher1.cn1-int.mindsphere-in.cn/adfs/ls/?wa=wsignout1.0

    Edit endpoint

  18. Click "Apply" to save the changes, then click "Done" to close the properties window.

    Apply


Last update: January 31, 2025