Subscribe to RSS Feed

Share on Facebook

Send link to a friend

 

This Active Directory Federation Services wiki page is intended to act as a content map for all members of the AD FS community. Members of the AD FS product team will occasionally monitor this article and post new links as necessary. We would like to enlist your help in adding useful links to this article in order to make hot AD FS topics and solutions more discoverable to the overall community.

Bookmark this page as : http://aka.ms/adfscontentmap.

 

Note
Several of the links provided on this page are to community-created content that is external to TechNet Wiki.

 

The following TOC list can be used to help you quickly jump to the relevant content category that is most applicable to your AD FS documentation needs.

 

↑ Back to top

---

Learn about AD FS 2.0

If you are new to AD FS, we recommend that you review the following announcements, introductory reference links and claims-related details provided in this section to learn more about this technology.

• Active Directory Federation Services v2 Ships! [Video]
• Availability and description of Active Directory Federation Services 2.0

Introduction to AD FS

• Introducing AD FS 2.0
• AD FS Terminology
• AD FS Glossary

Overview of AD FS 2.0

• AD FS 2.0 Overview
• AD FS 2.0 SDK Overview
• AD FS 2.0 Technical Overview [Webcast]
• AD FS 2.0 Product Help
• Active Directory Federation Services (ADFS) Wiki Articles

About Claims and Claim Rules

• The Role of Claims
• The Role of Claim Rules
• The Role of the Claim Rule Language
• The Role of the Claims Engine
• The Role of the Claims Pipeline
• Understanding Claim Rule Language in AD FS 2.0
• Using ADFS 2.0 SQL Attribute Store for “advanced” claims

About Claims-Based Identity & Applications

• Claims-Based Identity Overview
• Introduction to Claims-Based Identity and Windows Identity Foundation (WIF) [Video ]
• A Guide to Claims-Based Identity and Access Control
• Claims-Based Identity and Access Control Guide
• Centralizing Application Authorization with AD FS 2.0 [Video]
• Understanding Claims-Based Applications: An Overview of AD FS 2.0 and WIF [Video]

 

↑ Back to top

---

Research AD FS 2.0 Solutions

The following links can help you understand how AD FS 2.0 can work together with other technologies and products (both Microsoft and non-Microsoft) to provide single sign-on capabilities that span multiple boundaries and identity platforms. Note that several links in this section will jump you to community-created content that resides on web sites external to the TechNet Wiki.

Integration with Microsoft Cloud Products

• ADFS 2.0 Opens Doors to the Cloud
• SSO Across Organizations and the Cloud - AD FS 2.0 Architecture Drilldown [Video]

Office 365

• Office 365 SSO Content Map (all relevant AD FS 2.0 / O365 content can now be found here)

Windows Azure Applications Platform

• WIF and Windows Azure Applications [Video]
• Single Sign-On from Active Directory to a Windows Azure Application Whitepaper
• Security Talk: Windows Azure Applications and Federated Identity Security Using ADFS 2.0 [Video]

Windows Azure Appfabric Access Control Services (ACS)

• ACS and ADFS [Video]
• Access Control Service and AD FS 2.0 Integration [Video]
• How to use AD FS 2.0 to secure WCF and Workflow Services hosted in Windows Server AppFabric
• Windows Azure AppFabric ACS Content Map

 

Integration with Microsoft On-Premises Products

• Secure Collaboration with Partners using AD FS [Video]
• Using Active Directory Federation Services 2.0 in Identity Solutions

Active Directory Domain Services (AD DS)

• What's New in AD DS: Authentication Mechanism Assurance
• Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide

Active Directory Rights Management Services (AD RMS)

• Using AD FS with AD RMS
• AD RMS and AD FS Considerations
• AD RMS with AD FS Identity Federation Step-by-Step Guide

Exchange Server 2010

• Access OWA with AD FS

Forefront Identity Manager (FIM)

• Microsoft ADFS 2.0 and Forefront Identity Manager 2010
• ADFS 2.0 Attribute Store for Forefront Identity Manager

Forefront UAG

Why deploy Forefront UAG with AD FS 2.0?
• Forefront UAG and AD FS 2.0 supported scenarios and prerequisites
• Deploying Forefront UAG with AD FS 2.0
• Secure Application Access by using AD FS and UAG [Videos]

Microsoft Dynamics NAV 2013

• How to: Configure an AD FS 2.0 Identity Provider

Microsoft Dynamics CRM 2011

• Introducing Microsoft Dynamics CRM 2011 Claims-based Authentication [Video]
• Microsoft Dynamics CRM 2011 and Claims-based Authentication [ Download | Read Online ]
• Microsoft Dynamics CRM Survival Guide

SharePoint Server 2007 & Windows SharePoint Services 3.0

• Quick Start: Enabling Federation in a SharePoint Application with AD FS 2.0 as the STS
• Overview of Microsoft Federation Extensions for SharePoint 3.0
• AD FS 2.0 Step-by-Step Guide: How to Set Up the AD FS 2.0 VM Lab Environment for Federated Collaboration [ Download | Read Online ]
• AD FS 2.0 Step-by-Step Guide: Federated Document Collaboration Using Microsoft Office SharePoint Server 2007 [ Download | Read Online ]

SharePoint Foundation 2010

• Configure claims authentication (SharePoint Foundation 2010)
• Configure the security token service (SharePoint Foundation 2010)
• Custom claims providers for People Picker (SharePoint Foundation 2010)

SharePoint Server 2010

• Claims Architecture and Scenarios for SharePoint 2010 Developers
• Collaboration Using Office, SharePoint Server 2010, and AD FS 2.0 [Video]
• SharePoint 2010 and Claims-Based Identity Overview
• Planning Considerations for Claims Based Authentication in SharePoint 2010
• Configuring SharePoint 2010 and ADFS v2 End to End
• Configuring SharePoint 2010 AAM applications with AD FS 2.0
• Upgrading Federated Applications to SharePoint 2010
• AD FS 2.0 Step-by-Step Guide: Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies [ Download ]

Windows Identity Foundation (WIF)

• WIF Content Map
• AD FS 2.0 Step-by-Step Guide: Federation with a WIF Application [ Download | Read Online ]
• AD FS 2.0 Step-by-Step Guide: Identity Delegation with AD FS 2.0 [ Download | Read Online ]

 

Interoperability with Non-Microsoft Products

• Federated Single Sign-on to Applications Using Interoperable Standards [Video]
• Identity “Mash-up” Federation Demo using Multiple Protocols [Video]
• Federation Identity Interoperability demo with Geneva Server & Sun Open SSO [Video]
• Geneva Interop Whitepapers

Interop Setup Guidance

• Setting up ADFS 2.0 as an IDP for Visma Proceedo
• How to setup a federation with Automatic Data Processing, Inc (ADP) using ADFS 2.0
• A Quick Walkthrough: Setting up AD FS SAML Federation with a Shibboleth SP
• Using AD FS 2.0 for interoperable SAML 2.0-based federated Web Single Sign-On
• SalesForce SSO with ADFS 2.0 – Everything you need to Know
• Implement Jive federation with AD FS 2.0
• Using a Third-Party Proxy as a Replacement to an AD FS 2.0 Federation Server Proxy
• Using F5 Big-IP as a Replacement to an AD FS 2.0 Federation Server Proxy

Interop Test Lab Step-by-Step Guides

• AD FS 2.0 Step-by-Step Guide: Integration with RSA SecurID in the Extranet [ Read Online ]
• AD FS 2.0 Step-by-Step Guide: Federation with IBM Tivoli Federated Identity Manager [ Download | Read Online ]
• AD FS 2.0 Step-by-Step Guide: Federation with Ping Identity PingFederate [ Download | Read Online ]
• AD FS 2.0 Step-by-Step Guide: Federation with Oracle Identity Federation [ Download | Read Online ]
• AD FS 2.0 Step-by-Step Guide: Federation with CA Federation Manager [ Download | Read Online ]
• AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation [ Download | Read Online ]
• AD FS 2.0 Step-by-Step Guide: Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies [ Download ]

 

Case Studies

• Quest Software: Systems Manager Offers Security-Enhanced, Hosted Solutions with Programming Framework
• Gestone: Startup Successfully Launches with Highly Scalable, Security-Enhanced Cloud Services
• HCL Technologies: IT Firm Delivers Carbon-Data Management in the Cloud, Lowers Barriers for Customers
• Courts of Denmark: Courts Automate Processes for Citizens, Workers with Federated Identity Solution
• Thomson Reuters: Company to Save Months of Development Time with New Programming Framework
• Province of British Columbia: Government Builds Foundation for Agility with Identity Federation Solution
• Safewhere: Company Cuts Costs $150,000, Speeds Development with Programming Framework

Microsoft IT

• How Microsoft IT Designed and Deployed Active Directory Federation Services [Video]
• How ADFS v2 Helps Microsoft IT to Manage Application Access [Video]
• Microsoft MSIT: Enhancing Federation Services for Internal and External Partners

 

↑ Back to top

---

Versioning

You might also find this versioning and installation information useful:

AD FS 2.0:

1. It can be only be installed as a separate downloadable on Windows Server 2008 and Windows Server 2008 R2.
2.  It CANNOT be added or configured on Windows Server 2008 or Windows Server 2008 R2 via Server Manager as a server role.
3.  If you add the AD FS server role via Server Manager on Windows Server 2008, it is NOT AD FS 2.0 that you have just added but an earlier version of AD FS.

AD FS in Windows Server 2012: It can be added and configured as a server role via Server Manager in Windows Server 2012.

AD FS in Windows Server 2012 R2: It can be added and configured as a server role via Server Manager in Windows Server 2012 R2.

 

↑ Back to top

---

Design and Deploy AD FS 2.0

The following links can help you get started with planning and deploying a specific AD FS 2.0 design in your production environment.

Plan and Design

• AD FS 2.0 Design Guide
• AD FS 2.0 Capacity Planning
• AD FS 2.0 Capacity Planning Spreadsheet
• ADFS 2.0 High Availability and High Resiliency Walkthrough
• Planning Federation Server Placement
• Planning Federation Server Proxy Placement
• Planning a Migration to AD FS 2.0
• Planning for Interoperability with AD FS 1.x
• AD FS 2.0 and AD FS 1.x Interoperability
• Best Practices for Secure Planning and Deployment of AD FS 2.0
• AD FS 2.0 Requirements
• AD FS 2.0: Guidance for Selecting and Utilizing a Federation Service Name
• Using a Third-Party Proxy as a Replacement to an AD FS 2.0 Federation Server Proxy

Deploy

• AD FS 2.0 Deployment Guide
• AD FS 2.0 - How to Capture A Log During Installation (AdfsSetup.exe)
• AD FS 2.0 - How to manually run the AD FS 2.0 Initial Configuration
• AD FS 2.0 - How to configure the SPN (servicePrincipalName) for the service account
• AD FS 2.0 - How to perform an unattended installation of an AD FS 2.0 STS or Proxy
• Configuring Active Directory Federation Services 2.0
• Course 50412A: Implementing Active Directory Federation Services 2.0
• ADFS 2.0 - Customizing Forms Based Login Page - Notes from the field

 

↑ Back to top

---

Manage AD FS 2.0

The following links can help you understand how to manage and administer an existing AD FS 2.0 deployment.

• Configuring Advanced Options for AD FS 2.0
• Limiting Access to Office 365 Services Based on the Location of the Client
• Supporting Identity Provider Initiated RelayState
• How to restore IIS and clean up Active Directory when you uninstall Active Directory Federation Services 2.0
• AD FS 2.0 - How to Migrate Your AD FS Configuration Database to SQL Server
• Attribute Store Overview (How to create a custom attribute store)

 

Certificates

• AD FS 2.0: How To Modify The Duration of AutoCertificateRollover Certificates
• AD FS 2.0 - How to enable and immediately use AutoCertificateRollover
• AD FS 2.0 - How to Replace the SSL, Service Communications,Token-Signing, and Token-Decrypting Certificates
• AD FS 2.0 - How to change the ADFS 2.0 service communications certificate after it expires

 

Federation Server

• AD FS 2.0 - How to set the Primary Federation Server in a WID Farm
• Verify That a Federation Server Is Operational

 

Federation Server Proxy

• Using a Third-Party Proxy as a Replacement to an AD FS 2.0 Federation Server Proxy
• AD FS 2.0 Proxy Management
• Verify That a Federation Server Proxy Is Operational

 

Federation Service

• AD FS 2.0 - How to change the Federation Service Name
• AD FS 2.0 - How to Back Up the Federation Service
• Update the AD FS 2.0 Service Identity Password in a Federation Server Farm
• AD FS 2.0 - How to change the net.tcp Ports for Services and Administration

 

Monitoring

• Configure performance monitoring for AD FS 2.0
• Announcing Active Directory Federation Services 2.0 Management Pack for Microsoft System Center Operations Manager 2007
• Introduction to the AD FS 2.0 Management Pack

 

Office 365

• Office 365 SSO Content Map (links to the Manage section)

 

PowerShell

• AD FS 2.0 Administration with Windows PowerShell
• AD FS 2.0 Cmdlets in Windows PowerShell
• AD FS 2.0 API PowerShell Overview
• AD FS 2.0: How to Automatically Add the AD FS 2.0 Powershell Snap-in When Launching Powershell

 

Security

• Configure auditing for AD FS 2.0
• AD FS 2.0 - How to change the local authentication type

 

Sign-in / Sign-out

• AD FS 2.0: How to use Fiddler Web Debugger to analyze a WS-Federation passive sign-in
• Sign-In Pages Customization Overview
• How to invoke a WS-Federation sign-out
• AD FS 2.0: How to Consume RelayState to Automate Access to Relying Parties During IDP-Initiated Sign-On
• AD FS 2.0: How to request a specific Name ID format from a Claims Provider (CP) during SAML 2.0 Single-Sign-On (SSO)

 

Trusts

• AD FS 2.0: How to Migrate Claim Rules Between Trusts
• AD FS 2.0: How to Bulk Add Trust Relationships and Claim Rules for Testing
• AD FS 2.0: How to Utilize a Single Relying Party Trust for Multiple Web Applications that Share the Same Identifier
• AD FS 2.0: How to Restore the Default Acceptance Transform Rules for the Active Directory Claims Provider Trust

 

↑ Back to top

---

Troubleshoot AD FS 2.0

This following links can be used to help you locate the cause and resolution to common problems that may occur in your existing AD FS 2.0 infrastructure.

• AD FS 2.0 Troubleshooting Guide
• Things to check before troubleshooting AD FS 2.0
• Diagnostics in AD FS 2.0
• Fiddler Inspector for Federation Messages
• AD FS 2.0: Claims Are Missing From The Output Claim Set After A User's Name Has Changed

 

Authentication / Authorization

• Troubleshooting token acceptance problems with AD FS 2.0
• AD FS 2.0: ID4149: The Saml2SecurityToken is rejected because the SAML2:Assertion specifies a OneTimeUse condition
• AD FS 2.0: Error Event 323, "MSIS5009: The impersonation authorization failed" and Event 364, "MSIS3126: Access denied"
• AD FS 2.0: Sign-In Fails and Event 364 is Logged Showing Microsoft.IdentityServer.Protocols.Saml.NoAuthenticationContextException: MSIS7012

 

Browser Client Errors

• Troubleshooting User-Reported Symptoms for AD FS 2.0
• AD FS 2.0 - "An unexpected error has occurred" error or blank page displayed attempting to log on to SharePoint, Event ID 23 logged
• AD FS 2.0 - Prompted for credentials when you are expecting to be allowed anonymous access
• AD FS 2.0 - Continuously prompted for credentials when using FireFox 3.6.3
• AD FS 2.0 - Continuously prompted for credentials while using Fiddler Web Debugger
• AD FS 2.0 - "Script is disabled. Click Submit to continue."
• AD FS 2.0 - "An unexpected error has occurred" Error or Blank Page Displayed Attempting to Log on to SharePoint, Event ID 23 Logged

 

Certificates

• Troubleshooting certificate problems with AD FS 2.0
• Troubleshooting certificate management problems with AD FS 2.0
• AD FS 2.0 - "ID4037: The key needed to verify the signature could not be resolved from the following security key identifier"

 

Federation Server Proxy

• Troubleshooting federation server proxy problems with AD FS 2.0
• AD FS 2.0: Federation Server Proxy Servers Fail to Authenticate Users, Events 248 and 996 Logged

 

Federation Service

• Troubleshooting federation server farm problems with AD FS 2.0
• AD FS 2.0 - The service fails to start. "The service did not respond to the start or control request in a timely fashion. "
• AD FS 2.0 - Query notification delivery failed because of the following error in service broker: 'The conversation handle "{GUID} is not found.'
• AD FS 2.0 - Browsing to Federation Metadata fails "Unable to download federationmetadata.xml"
• AD FS 2.0 - The Admin event log shows Error 111 with System.ArgumentException: ID4216
• AD FS 2.0 - The AD FS 2.0 Windows Service fails to start - Event 102 and 220 logged
• AD FS 2.0: The Service Fails to Start and Error Events 352, 102, and 220 Describing an OperationalFault Are Logged

 

ForeFront UAG

• Troubleshooting Forefront UAG Federation Metadata Retrieval Errors
• Troubleshoot Forefront UAG with AD FS 2.0 Activation Errors
• Troubleshooting Forefront UAG with AD FS 2.0 Event Viewer Messages
• Forefront UAG Troubleshooting: Event ID 161: The User Name Claim Type Is Missing from the Security Token

 

Installation / Setup

• AD FS 2.0 setup fails to install PowerShell feature on Windows Server 2008
• AD FS 2.0: Initial configuration fails during "Creating default claim set" and Event ID 37 is logged in AD FS 2.0 Tracing/Debug

 

Logging / Tracing

• How to Set up AD FS 2.0 event logging
• How to Enable Debug Logging for Active Directory Federation Services 2.0 (AD FS 2.0)
• How to Configure Debug Tracing for AD FS 2.0
• AD FS 2.0: Event ID 47 is Logged in AD FS 2.0 Tracing/Debug with MSIS1022 and ID6008
• CRM 2011: How to Enable Verbose Windows Identity Foundation (WIF) Tracing for Claims-Based Authentication

 

Office 365

• Office 365 SSO Content Map (links to the Troubleshoot section)

 

Trusts

• Troubleshooting trust management problems with AD FS 2.0
• AD FS 2.0: The Admin Event Log Contains Error Event 320. "MSIS1010: Signed SAML message must have Destination URI specified."
• AD FS 2.0: "The request specified an Assertion Consumer Service URL that is not configured on the relying party"

 

↑ Back to top

---

QFEs Related to AD FS 2.0

You can use the following links to find the latest AD FS 2.0 hotfixes or QFEs.

• Description of Update Rollup 3 for Active Directory Federation Services (AD FS) 2.0 [Rollup 3 package also contains fixes from Rollup 2 package]
• Description of Update Rollup 2 for Active Directory Federation Services (AD FS) 2.0 [Rollup 2 package also contains fixes from Rollup 1 package]
• Description of Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0
• WIF QFE - AD FS 2.0 does not parse non-string XML attribute values in SAML 2.0 assertions in Windows Server 2008 or in Windows Server 2008 R2

 

↑ Back to top

---

Additional AD FS 2.0 References

Here you will find additional reference links to related developer content, software downloads and related technologies.

Developer References

• AD FS 2.0 SDK
• AD FS 2.0 SDK Class Library (AD FS 2.0 Object Model)
• WIF SDK [ Download | Read Online ]
• WIF SDK Class Library (WIF Object Model)

 

Software Downloads

• AD FS 2.0 Software
• AD FS 2.0 Management Pack for Microsoft System Center Operations Manager 2007
• Forefront UAG 2010 SP1 (adds support for AD FS 2.0)
• Microsoft Federation Extensions for SharePoint 3.0 (adds support for AD FS 2.0)
• WIF Software
• WIF Extension for the SAML 2 Protocol (CTP Release)
• Microsoft Office 365 Federation Metadata Update Automation Installation Tool

 

Related Microsoft Products

• Active Directory Domain Services
• Active Directory Lightweight Directory Services
• Active Directory Rights Management Services
• Active Directory Certificate Services
• Windows PKI
• Windows Identity Foundation (WIF)
• Windows Azure AppFabric ACS

 

Related Open Standards

• OASIS Standards-SAML and more
• Kantara Initiative (formerly known as the Liberty Alliance)
• Shibboleth - open source for web based SSO
• Web Service Interoperability and Specifications (WS-*)
• Web Service Interoperability (WS-I) Organization

 

↑ Back to top

---

AD FS 3.0 Resources

With Windows Server 2012 R2 new version of AD FS arrived. Not all details are fully documented but there are a lot of new functionality. And no direct upgrade path.

• AD FS Overview in Windows Server 2012R2
• Introduction to AlternateLoginID Feature
• AD FS Sign-in Page Customization
• Configuring Device Registration
• Web Application Proxy as a replacement for Federation Server Proxy

 

↑ Back to top

---

Community Resources

The following resources can be useful for obtaining AD FS community support and for keeping up with the latest AD FS content updates and news.

Forums

• Claims-Based Access Forum
• Directory Services Forum

 

Blogs

• Claims-Based Identity Blog
• AD FS Documentation Blog
• Identity and Access Management
• Security and Identity in the Cloud
• Kim Cameron Identity Blog
• Mike Jones - self-issued
• Vittorio Bertocci

 

Feeds

• Twitter Feed for "ADFS"
• TechNet Wiki Feed for "AD FS 2.0"
• Bing News Feed for "AD FS 2.0"

  

Curah

• AD FS on Curah - AD FS TechNet Content Map - the complete TechNet content map of AD FS starting with AD FS 2.0 and up to AD FS in Windows Sever 2012 R2.

 

↑ Back to top

---