For an ADFS server to act as the claims provider for your Security Center system, you must add Security Center to the relying party trusts of the ADFS server.
Before you begin
- The AD FS Management window must be open on your ADFS server.
- If Directory failover is configured on your system, know the hostname of each Directory server.
This task is part of the deployment process for third-party authentication using ADFS based on a sample scenario. The instructions and screen captures are based on Windows Server 2016. If you are using a different version, your procedure might be different.
What you should know
NOTE: If you are not enabling web-based authentication, click Next instead of executing the steps that are marked "(WbA only)".
In the AD FS window, click .
The Add Relying Party Trust Wizard window opens
On the Welcome page, click .
You can leave Claims aware selected.
On the Specify Display Name page, enter in the Display
name field, a name that represents your Security Center system, and click
For example, YourCompany Security Center.
- (Optional) On the Configure Certificate page, specify a token encryption certificate and click Next.
(WbA only) On the Configure URL page, select Enable
support for the WS-Federation Passive protocol and enter the URL of your
main server, and then click Next.
For example: https://MainServer.YourCompany.com
(WbA only) On the Configure Identifiers page, enter in the
Relying party trust identifier field, a string that identifies
your Security Center main server, and click
IMPORTANT: An example would be to use the URL of your main server: https://MainServer.YourCompany.com. Write this value down. You need to enter this identifier in a subsequent step, when you configure the Authentication Service role on the Security Center server.Best Practice: We recommend using the default value configured for the Authentication Service role, urn:federation:SecurityCenter, so you have one less thing to remember.
- (WbA only) In the Relying party trust identifiers list, select the row that corresponds to your main server URL and click .
- In the Choose Access Control Policy page, select Permit everyone and click Next.
In the Ready to Add Trust page, click
Identifiers, and verify the identifiers you entered.
Click Next, leave Configure claims issuance policy
for this application selected, and click Close.
The Security Center main server is added to the relying party trusts of your ADFS server.
If Directory failover is configured on your system, you must add the URL of each
Directory server as endpoints to the Security Center relying party trust of your ADFS server.
NOTE: The Authentication Service role runs on the same server as the Directory role. When the Directory role fails over to the next server in line, the Authentication Service role also fails over to the same server. For this reason, the ADFS server must know the URL of every Directory server you have in your system. For the server URL, enter https:// followed by the fully qualified hostname.
In the AD FS window, select the Security Center relying party trust, and click .
Click Add WS-Federation, enter the URL for each of a
Directory server, and click OK.
- Repeat the previous step for all Directory servers on your system.
- In the AD FS window, select the Security Center relying party trust, and click .
Configure claim rules for Security Center.