Active Directory Federation Services (AD FS) 2.0 helps simplify access to applications and other systems with an open and interoperable claims-based model. The AD FS 2.0 platform provides a fully redesigned Windows-based Federation Service that supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols. In this article we are going to install it on Windows Server 8! You can find my recent article, how you configure AD FS 2.0 on Windows Server 2008 R2


Download Link

Actually you don't have to download it, but if you need you can download it here:

1 Install and Configure ADFS 2.0 on Server 8

Open the Add Roles and Features Wizard


Select Role based or feature based installation and click Next


Select your Server ( Domain Controller ) and click Next


Select your Role "Active Directory Federation Services"


It will add features to your role, select "Add Features"


Select your Features and click Next


Just click Next


Select Federation Services and the Agent and click Next


Again Next


And click Install


The wizard will open the AD FS Welcome screen, click AD FS Federation Services Configuration Wizard


Select "Create a new Federation Service"


Create a new server farm


Be sure, that your server has a certificate. Select it, and click Next


Provide a Service Account and give the Password.



The summary screen. Just click Next


Whe installation finish, close your screen.


Again when the installation is "ok", you will be returned on the AD FS Welcome screen. Click on "Required: Add a trusted relaying party"


Select Start


Choose "Federation data about the relying party manually"


Give a friendly name " GokMania-Labo Internal Trust " as my exercice.


Choose AD FS profile and click Next


Just click Next.


Choose "Enable support WS-Federation Passive protocol" and give your Web Application with /_trust/ behind.


Provide your URN:


Choose "Permit all users to access this relying party" and click Next


Choose "Close"


Now we are going to edit Claim Rules for our Trust. Click on Add Rule...


Select your template LDAP


And fill the same as shown below.


2 Configure AD FS on SharePoint 2010.

Create a new certificate from AD FS Server and copy it on the SharePoint Server. Lets rename it on GokManiaAdfs.cer:

  • C:\GokManiaAdfs.cer, which is the token signing certificate I copied from my ADFS server


Now that I have my certificate, I need to add them to my list of trusted root authorities. I’m going to do that in PowerShell with this script:


$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\GokManiaAdfs.cer ")

New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert

Next I’m going to create the claim mappings that SharePoint is going to use


$map = New-SPClaimTypeMapping -IncomingClaimType "" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

$map2 = New-SPClaimTypeMapping -IncomingClaimType "" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming

Next I’m going to create a variable for the realm that I want SharePoint to use. For this scenario I said I was going to use the realm urn:seo:sharepoint. Here’s the PowerShell to create my realm variable:


$realm = "urn:portail.gokmania.local:sharepoint"

Now I’m ready to create my SPTrustedIdentityTokenIssuer. This is where I tie together all of the configuration information so SharePoint knows how to connect and work. I’ll show the PowerShell here and then explain the important parts:


$ap = New-SPTrustedIdentityTokenIssuer -Name "SAML Provider" -Description "SharePoint secured by SAML" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$map2 -SignInUrl "https://adfs.gokmania.local/adfs/ls" -IdentifierClaim ""

So now we’ll open up the browser and navigate to Central Administration. Click on the Manage Web Applications link, then click on the web application in the list that’s going to use ADFS to authenticate, then click the Authentication Providers button in the ribbon. Click the link in the dialog that corresponds to the zone in which you are going to use ADFS to authenticate. Scroll down to the Authentication Types section. You can now de-select NTLM, and you should see a new provider called “SAML Provider” in the list of trusted providers.