Configuring The Adfs Server To Be An Identity Provider - Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER Manual

2 Click Add.
3 Next to the Trusted Root(s) field, click the Select Trusted Root(s) icon.
This adds the trusted root of the ADFS signing certificate to the Trust Store.
4 On the Select Trusted Roots page, select the trusted root or certificate that you want to import,
then click Add Trusted Roots to Trust Stores.
If there is no trusted root or certificate in the list, click Import. This enables you to import a
trusted root or certificate.
5 Next to the Trust store(s) field, click the Select Keystore icon.
6 Select the trust stores where you want to add the trusted root or certificate, then click OK twice.
7 Update the Identity Server so that changes can take effect.
This ends the basic configuration that must be done to for the Identity Server to trust the ADFS
server as an identity provider. However, the ADFS server needs to be configured to act as an identity
server and to trust the Access Manager Identity Server. Continue with
the ADFS Server to Be an Identity Provider," on page

7.2.2 Configuring the ADFS Server to Be an Identity Provider

The following tasks describe the minimum configuration required for the ADFS server to act as an
identity provider for the Access Manager Identity Server.
"Enabling a Claim Type for a Resource Partner" on page 201
"Creating a Resource Partner" on page 202
For additional configuration options, see
Options," on page 203.
Enabling a Claim Type for a Resource Partner
You can enable three types of claims for identity on an ADFS Federation server. They are Common
Name, E-mail, and User Principal Name. The ADFS step-by-step guide specifies that you do
everything with a User Principal Name, which is an Active Directory convention. Although it could
be given an e-mail that looks the same, it is not. This scenario selects to use E-mail instead of
Common Name because E-mail is a more common configuration.
1 In the Administrative Tools, open the Active Directory Federation Services tool.
2 Navigate to the Organizational Claims by clicking Federation Service > Trust Policy > My
Organization.
3 Make sure that E-mail is in this list.
4 Navigate to Active Directory by clicking Federation Services > Trust Policy > Account Stores.
5 Enable the E-mail Organizational Claim.
5a Right-click this claim, then select Properties.
5b Click the Enabled box.
5c Add the LDAP mail attribute by clicking Settings > LDAP attribute and selecting mail.
This is the LDAP attribute in Active Directory where the user's e-mail address is stored.
5d Click OK.
201.
Section 7.2.4, "Additional WS Federation Configuration
Section 7.2.2, "Configuring
Configuring WS Federation 201