Configuring The Adfs Server To Be An Identity Provider - Novell ACCESS MANAGER 3.1 SP2 - IDENTITY SERVER GUIDE 2010 Manual

10.2.2 Configuring the ADFS Server to Be an Identity Provider

The following tasks describe the minimum configuration required for the ADFS server to act as an
identity provider for the Access Manager Identity Server.
"Enabling a Claim Type for a Resource Partner" on page 266

 "Creating a Resource Partner" on page 266
For additional configuration options, see
Options," on page
Enabling a Claim Type for a Resource Partner
You can enable three types of claims for identity on an ADFS Federation server. They are Common
Name, E-mail, and User Principal Name. The ADFS step-by-step guide specifies that you do
everything with a User Principal Name, which is an Active Directory convention. Although it could
be given an e-mail that looks the same, it is not. This scenario selects to use E-mail instead of
Common Name because E-mail is a more common configuration.
1 In the Administrative Tools, open the Active Directory Federation Services tool.
2 Navigate to the Organizational Claims by clicking Federation Service > Trust Policy > My
Organization.
3 Make sure that E-mail is in this list.
4 Navigate to Active Directory by clicking Federation Services > Trust Policy > Account Stores.
5 Enable the E-mail Organizational Claim:
5a Right-click this claim, then select Properties.
5b Click the Enabled box.
5c Add the LDAP mail attribute by clicking Settings > LDAP attribute and selecting mail.
This is the LDAP attribute in Active Directory where the user's e-mail address is stored.
5d Click OK.
6 Verify that the user you are going to use for authentication has an E-mail address in the mail
attribute.
7 Continue with
Creating a Resource Partner
The WS Federation protocol requires a two-way trust. The identity provider must be configured to
trust the service provider, and the service provider must be configured to trust the identity provider.
You have already set up the service provider to trust the identity provider (see
Federation Identity Provider" on page
provider (the ADFS server) trusts the service provider (the Identity Server).
1 In the Active Directory Federation Services console, access the Resource Partners page by
clicking Federation Services > Trust Policy > Partner Organizations.
2 Right-click the Partner Organizations, then click New > Resource Partner.
3 Supply the following information in the wizard:
You do not have a resource partner policy file to import.

266 Novell Access Manager 3.1 SP2 Identity Server Guide
Section 10.2.4, "Additional WS Federation Configuration
267.
"Creating a Resource Partner" on page
263). This section sets up the trust so that the identity
266.
"Creating a WS