How to: Configure an AD FS 2.0 Identity Provider

An identity provider is an organization that provides authentication services that you can use as the Windows Azure Access Control Service (ACS) authentication mechanism. One identity provider that you can configure is Active Directory Federation Services (AD FS) 2.0. AD FS 2.0 lets users authenticate by logging on to their corporate account, which is managed by Active Directory.

To configure AD FS 2.0 as an identity provider

  1. Add AD FS 2.0 as an identity provide in the ACS Management Portal. For more information, see step 1 in How to: Configure AD FS 2.0 as an Identity Provider.

  2. Optionally, add a certificate to ACS for decrypting tokens that are received from AD FS 2.0 in the ACS Management Portal. For more information, see step 2 in How to: Configure AD FS 2.0 as an Identity Provider.

  3. Add your ACS namespace as a relying party in AD FS 2.0 and add claim rules for the ACS namespace. You must add these in such a way that guarantees that AD FS 2.0 provides a name ID that is usable by Microsoft Dynamics NAV for authentication. The following steps describe how to add the ACS namespace and add claim rules by using a PowerShell script.

    1. Create a file that is named C:\ClaimTransformRules.txt that contains the following.

      @RuleTemplate = “LdapClaims”
      @RuleName = “Send User PrincipalName as Name ID to NAV”
      c:[Type  == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”,Issuer  == “AD AUTHORITY” ]
        => issue(store = “Active Directory”, types = (“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”), query = “;userPrincipalName;{0}”,  param = c.Value);
      

      This specifies that the claim rule template that is used sends LDAP attributes as claims. The LDAP attribute to use is the UserPrincipalName.

    2. Create a file that is named C:\ClaimAuthRules.txt that contains the following.

      @RuleTemplate = “AllowAllAuthzRule”
       =>issue(Type =”http://schemas.microsoft.com/authorization/claims/permit”, Value = “true”);
      

      This specifies that the issuance authorization rule enables all users to access the relying party.

    3. Type the following at the PowerShell prompt.

      Add-ADFSRelyingPartyTrust -Name NAVTrust -MetadataUrl "https://<Microsoft Dynamics NAV ACS namespace>. s.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml" -IssuanceAuthorizationRulesFile C:\ClaimAuthRules.txt -IssuanceTransformRulesFile C:\ClaimTransformRules.txt