You can use the Add Account Partner Wizard to add a new account partner manually or by importing a policy file. This action enables user accounts in the account partner to access Web applications that are protected by this Federation Service. To learn more about improved import functionality in this version of Active Directory Federation Services (AD FS), see What's New in AD FS in Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=85684).
Membership in the Administrators local group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
Adding an account partner manually
You can use the following procedure to add an account partner manually.
To add an account partner manually |
-
Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
-
In the console tree, double-click Federation Service, Trust Policy, and Partner Organizations.
-
Right-click Account Partners, point to New, and then click Account Partner.
-
On the Welcome to the Add Account Partner Wizard page, click Next.
-
On the Import Policy File page, click No, and then click Next.
-
On the Account Partner Details page, do the following, and then click Next
- In Display name, type the display name
of the account partner.
- In Federation Service URI, type the
Uniform Resource Identifier (URI) of the Federation Service.
- In Federation Service endpoint URL,
type the Uniform Resource Locator (URL) of the Federation
Service.
- In Display name, type the display name
of the account partner.
-
On the Account Partner Verification Certificate page, type the path to the verification certificate, or browse to it, and then click Next.
-
On the Federation Scenario page, do one of the following, and then click Next:
- If you are establishing a federated trust
with another organization or you do not want to use an existing
forest trust, click Federated Web SSO, and then go to
step 10.
- If you are establishing a federated trust
within the same organization when both sides already share a forest
trust, click Federated Web SSO with Forest Trust.
- If you are establishing a federated trust
with another organization or you do not want to use an existing
forest trust, click Federated Web SSO, and then go to
step 10.
-
On the Federated Web SSO with Forest Trust page, do one of the following, and then click Next:
- To accept users in all domains that are
trusted by the account partner, click All AD DS domains and
forests. Any user that can authenticate to the account partner
will be accepted.
- To accept user accounts that are located in
some of the domains that are trusted by the account partner, click
The following AD DS domains and forests. Then, in
New, trusted AD DS domain or forest, type the name of a
domain or forest, and then click Add. Only users from the
specified domains will be accepted.
- To accept users in all domains that are
trusted by the account partner, click All AD DS domains and
forests. Any user that can authenticate to the account partner
will be accepted.
-
On the Account Partner Identity Claims page, select one or more identity claims to share with the resource partner, and then click Next:
- If the resource partner requires user
principal name (UPN) claims to make authorization decisions, select
the UPN Claim check box.
Important When UPN claims or e-mail claims are used to make authorization decisions, it is essential that each account partner has a unique UPN suffix or e-mail suffix. If two account partners have the same UPN suffix or e-mail suffix, it may not be possible to uniquely identify users. This condition might result in a user from one account partner receiving the permissions that are intended for a user in another account partner. This condition might also introduce a significant security weakness because an administrator could intentionally create user accounts to impersonate users from one of your other account partners.
Note If you selected the Federated Web SSO with Forest Trust scenario, the UPN Claim option is selected and not configurable. This is because UPN claims are required for this scenario.
- If the resource partner requires e-mail
claims to make authorization decisions, select the E-mail
Claim check box.
- If the resource partner requires common name
claims to make authorization decisions, select the Common Name
Claim check box.
- If the resource partner requires user
principal name (UPN) claims to make authorization decisions, select
the UPN Claim check box.
-
If you selected UPN Claim as an identity claim, on the Accepted UPN Suffixes page, do one of the following, and then click Next:
- If you selected the Federated Web SSO with
Forest Trust option, click All UPN suffixes or click
Only suffixes from the following list, type the accepted
suffix, and then click Add.
- If you selected the Federated Web SSO
option, under Add a new suffix, type the accepted suffix,
and then click Add.
- If you selected the Federated Web SSO with
Forest Trust option, click All UPN suffixes or click
Only suffixes from the following list, type the accepted
suffix, and then click Add.
-
If you selected E-mail Claim as an identity claim, on the Accepted E-mail Suffixes page, do one of the following, and then click Next:
- If you selected the Federated Web SSO with
Forest Trust option, click All E-mail suffixes or click
Only suffixes from the following list, type the accepted
suffix, and then click Add.
- If you selected the Federated Web SSO
option, under Add a new suffix, type the accepted suffix,
and then click Add.
Note Common name claims require no additional information.
- If you selected the Federated Web SSO with
Forest Trust option, click All E-mail suffixes or click
Only suffixes from the following list, type the accepted
suffix, and then click Add.
-
On the Enable this Account Partner page, if you do not want to enable the account partner now, clear the Enable this account partner check box, and then click Next.
-
To add the new account partner and close the wizard, click Finish.
Adding an account partner by importing a policy file
You can use the following procedure to add an account partner by importing a policy file.
To add an account partner by importing a policy file |
-
Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
-
In the console tree, double-click Federation Service, Trust Policy, and Partner Organizations.
-
Right-click Account Partners, point to New, and then click Account Partner.
-
On the Welcome to the Add Account Partner Wizard page, click Next.
-
On the Import Policy File page, do the following, and then click Next:
- Click Yes.
- In Partner interoperability policy
file, browse to or type the location of the account partner
policy file.
- Click Yes.
-
On the Account Partner Details page, under Display name, type the display name of the account partner, verify that the additional imported partner settings are correct, and then click Next.
-
On the Account Partner Verification Certificate page, do one of the following, and then click Next:
- Click Use the verification certificate in
the import policy file.
- Click Use a different verification
certificate, and then type the location of the certificate or
click Browse.
- Click Use the verification certificate in
the import policy file.
-
On the Federation Scenario page, do one of the following, and then click Next:
- If you are establishing a federated trust
with another organization or you do not want to use an existing
forest trust, click Federated Web SSO, and then go to
step 10.
- If you are establishing a federated trust
within the same organization when both sides already share a forest
trust, click Federated Web SSO with Forest Trust.
- If you are establishing a federated trust
with another organization or you do not want to use an existing
forest trust, click Federated Web SSO, and then go to
step 10.
-
On the Federation Web SSO with Forest Trust page, do one of the following, and then click Next:
- To accept users in all domains that are
trusted by the account partner, click All AD DS domains and
forests. Any user that can authenticate to the account partner
will be accepted.
- To accept user accounts that are located in
some of the domains that are trusted by the account partner, click
The following AD DS domains and forests. Then, in
New, trusted AD DS domain or forest, type the name of
the domain or forest, and then click Add. Only users from
the specified domains will be accepted.
- To accept users in all domains that are
trusted by the account partner, click All AD DS domains and
forests. Any user that can authenticate to the account partner
will be accepted.
-
On the Account Partner Identity Claims page, select one or more identity claims that this partner will provide, and then click Next:
- If the resource partner requires UPN claims
to make authorization decisions, select the UPN Claim check
box.
Important When UPN claims or e-mail claims are used to make authorization decisions, it is essential that each account partner has a unique UPN suffix or e-mail suffix. If two account partners have the same UPN suffix or e-mail suffix, it may not be possible to uniquely identify users. This condition might result in a user from one account partner receiving the permissions that are intended for a user in another account partner. This condition might also introduce a significant security weakness because an administrator could intentionally create user accounts to impersonate users from one of your other account partners.
Note If you selected the Federated Web SSO with Forest Trust scenario, the UPN Claim option is selected and not configurable. This is because UPN claims are required for this scenario.
- If the resource partner requires e-mail
claims to make authorization decisions, select the E-mail
Claim check box.
- If the resource partner requires common name
claims to make authorization decisions, select the Common Name
Claim check box.
- If the resource partner requires UPN claims
to make authorization decisions, select the UPN Claim check
box.
-
If you selected UPN Claim as an identity claim, on the Accepted UPN Suffixes page, do one of the following, and then click Next:
- If you selected the Federated Web SSO with
Forest Trust option, click All UPN suffixes or click
Only suffixes from the following list, type the accepted
suffix, and then click Add.
- If you selected the Federated Web SSO
option, under Add a new suffix, type the accepted suffix,
and then click Add.
- If you selected the Federated Web SSO with
Forest Trust option, click All UPN suffixes or click
Only suffixes from the following list, type the accepted
suffix, and then click Add.
-
If you selected E-mail Claim as an identity claim, on the Accepted E-mail Suffixes page, do one of the following, and then click Next:
- If you selected the Federated Web SSO with
Forest Trust option, click All E-mail suffixes or click
Only suffixes from the following list, type the accepted
suffix, and then click Add.
- If you selected the Federated Web SSO
option, under Add a new suffix, type the accepted suffix,
and then click Add.
- If you selected the Federated Web SSO with
Forest Trust option, click All E-mail suffixes or click
Only suffixes from the following list, type the accepted
suffix, and then click Add.
-
On the Enable this Account Partner page, if you do not want to enable the account partner now, clear the Enable this account partner check box, and then click Next.
-
To add the new account partner and close the wizard, click Finish.
Renaming an imported account partner
You can use the following procedure to rename an imported account partner.
To rename an imported account partner |
-
Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
-
In the console tree, double-click Federation Service, Trust Policy, Partner Organizations, and Account Partners.
-
Right-click the account partner, and then click Rename.
-
Type a new name for the account partner.