AD FS 3.0 on Windows Server 2012 R2

English | Deutsch

TABLE OF CONTENTS

1 Prerequisites
2 Configuration in AD FS

AD FS will be used in combination with a SAML federation in that version. Prefer a OIDC federation in newer versions.

OICD Federation

(Metadata)

https://sso.questback.com/FederationMetadata/2007-06/FederationMetadata.xml

Prerequisites

The Server has to be part of the target Active Directory Domain
The Server Role “Active Directory Federation Services” has to be installed and configured on the server.
The three parts “Install a server SSL certificate”, “Install the AD FS server role” and “Configure the federation server” under Step 2 of the Microsoft documentation are quite helpful.

Microsoft Documentation

https://docs.microsoft.com/de-de/windows-server/identity/ad-fs/deployment/set-up-the-lab-environment-for-ad-fs-in-windows-server-2012-r2#step-2-configure-the-federation-server-adfs1-by-using-device-registration-service

There is no further Configuration needed in AD FS to enable SAML authentication.

To successfully create a SAML federation between AD FS and Okta there are a few fields that are required by our Okta solution. The AD FS has to provide email-address, first name and last name as well as an email-address as NameID.

Configuration in AD FS

The steps might change with regards to the version and server version. They might also change with respect to the specific fields that are available in the actual AD FS instance.

Step 1: Create a Relying Party Trust

On the second step of the configuration wizard, the information can and should be imported via a metadata.xml file provided by Okta. This contains all information needed to complete the wizard.

Step 2: Create Claim Rules

All claim rules for the formerly created Party Trust can be found here:

New rules can be created by clicking on “Add Rule…”:

The following three rules have to be created:

Attribute claims from AD

Pass E-Mail Claims

Email to NameID

Step 3: Check the order of the claim rules (important!)