You can use the Add Resource Partner Wizard to add a new resource partner manually or by importing a policy file. To learn more about the improved import functionality in this version of Active Directory Federation Services (AD FS), see What's New for AD FS in Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=85684).

Use this wizard to add a resource partner that will provide a Web application to users who have accounts in your account store: Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS).

Membership in the Administrators local group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.

Adding a resource partner manually

You can use the following procedure to add a resource partner manually.

To add a resource partner manually
  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. In the console tree, double-click Federation Service, Trust Policy, and Partner Organizations.

  3. In the console tree, right-click Resource Partners, point to New, and then click Resource Partner.

  4. On the Welcome to the Add Resource Partner Wizard page, click Next.

  5. On the Import Policy File page, ensure that No is selected, and then click Next.

  6. On the Resource Partner Details page, do the following, and then click Next:

    • In Display name, type the name of the resource partner.

    • In Federation Service URI, type the Uniform Resource Identifier (URI) for the resource partner.

    • In Federation Service endpoint URL, type the Uniform Resource Locator (URL) of the Federation Service.

  7. On the Federation Scenario page, do one of the following, and then click Next:

    • If you are establishing a federated trust with another organization or you do not want to use an existing forest trust, click Federated Web SSO.

    • If you are establishing a federated trust within the same organization when both sides already share a forest trust, click Federated Web SSO with Forest Trust.

  8. On the Resource Partner Identity Claims page, select one or more identity claims to share with the resource partner, and then click Next:

    • If the resource partner requires user principal name (UPN) claims to make authorization decisions, select the UPN Claim check box.

    Note

    If you selected the Federated Web SSO with Forest Trust scenario, the UPN Claim option is selected and not configurable. This is because UPN claims are required for this scenario.

    • If the resource partner requires e-mail claims to make authorization decisions, select the E-mail Claim check box.

    • If the resource partner requires common name claims to make authorization decisions, select the Common Name Claim check box.

  9. If you selected UPN Claim as an identity claim, on the Select UPN Suffix page, do one of the following, and then click Next:

    • To pass all UPN suffixes through without replacing them, click Pass all UPN suffixes through unchanged.

    • To replace all UPN suffixes with a different suffix, click Replace all UPN suffixes with the following, and then type the suffix that you want to use to replace all UPN suffixes.

  10. If you selected E-mail Claim as an identity claim, on the Select E-mail Suffix page, do one of the following, and then click Next:

    • To pass all e-mail suffixes without replacing them, click Pass all E-mail suffixes through unchanged.

    • To replace all e-mail suffixes with a different suffix, click Replace all E-mail suffixes with, and then type the suffix that you want to use to replace all e-mail suffixes.

    Note

    Common name claims require no additional information.

  11. On the Enable this Resource Partner page, if you do not want to enable the resource partner now, clear the Enable this resource partner check box, and then click Next.

  12. To add the new resource partner and close the wizard, click Finish.

Adding a resource partner by importing a policy file

You can use the following procedure to add a resource partner by importing a policy file.

To add a resource partner by importing a policy file
  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. In the console tree, double-click Federation Service, Trust Policy, and Partner Organizations.

  3. Right-click Resource Partners, point to New, and then click Resource Partner.

  4. On the Welcome to the Add Resource Partner Wizard page, click Next.

  5. On the Import Policy File page, do the following, and then click Next:

    • Click Yes.

    • In Partner interoperability policy file, browse to or type the location of the resource partner policy file.

  6. On the Resource Partner Details page, under Display name, type the display name of the resource partner, verify that the additional imported partner settings are correct, and then click Next.

  7. On the Federation Scenario page, do one of the following, and then click Next:

    • If you are establishing a federated trust with another organization or you do not want to use an existing forest trust, click Federated Web SSO.

    • If you are establishing a federated trust within the same organization when both sides already share a forest trust, click Federated Web SSO with Forest Trust.

  8. On the Resource Partner Identity Claims page, select one or more identity claims that the account partner will provide to the resource partner, and then click Next:

    • If the resource partner requires UPN claims to make authorization decisions, select the UPN Claim check box.

    Note

    If you selected the Federated Web SSO with Forest Trust scenario, the UPN Claim option is selected and not configurable. This is because UPN claims are required for this scenario.

    • If the resource partner requires e-mail claims to make authorization decisions, select the E-mail Claim check box.

    • If the resource partner requires common name claims to make authorization decisions, select the Common Name Claim check box.

  9. If you selected UPN Claim as an identity claim, on the Select UPN Suffix page, select one of the following, and then click Next.

    • To pass all UPN suffixes through without replacing them, click Pass all UPN suffixes through unchanged.

    • To replace all UPN suffixes with a different suffix, click Replace all UPN domain suffixes with the following, type the suffix that you want to use to replace all UPN suffixes, and then click Add.

  10. If you selected E-mail Claim as an identity claim, on the Select E-mail Suffix page, do one of the following, and then click Next:

    • To pass all e-mail suffixes without replacing them, click Pass all e-mail suffixes through unchanged.

    • To replace all UPN suffixes with a different suffix, click Replace all E-mail suffixes with, and then type the suffix that you want to use to replace all e-mail suffixes.

    Note

    Common name claims require no additional information.

  11. On the Enable this Resource Partner page, if you do not want to enable the resource partner now, clear the Enable this resource partner check box, and then click Next.

  12. To add the new resource partner and close the wizard, click Finish.