Set up a WS-Federation provider with AD FS

Active Directory Federation Services (AD FS) is one of the WS-Federation identity providers you can use to authenticate visitors to your Power Pages site. You can use any provider that conforms to the WS-Federation specification.

This article describes the following steps:

• Set up AD FS in Power Pages
• Create an AD FS relying party trust
• Finish setting up the provider

Important

The steps for setting up AD FS might vary depending on the version of your AD FS server.

Set up AD FS in Power Pages

Set AD FS as an identity provider for your site.

1. In your Power Pages site, select Set up > Identity providers.

   If no identity providers appear, make sure External login is set to On in your site's general authentication settings.

2. Select + New provider.

3. Under Select login provider, select Other.

4. Under Protocol, select WS-Federation.

5. Enter a name for the provider.

   The provider name is the text on the button that users see when they select their identity provider on the sign-in page.

6. Select Next.

7. Under Reply URL, select Copy.

   Don't close your Power Pages browser tab. You'll return to it soon.

Create an AD FS relying party trust

1. In Server Manager, select Tools, and then select AD FS Management.

2. Select Trust Relationships > Relying Party Trusts.

3. Select Add Relying Party Trust.

4. Select Start.

5. Select Enter data about the relying party manually, and then select Next.

6. Enter a name; for example, https://portal.contoso.com/.

7. Select Next.

8. Select AD FS 2.0 profile, and then select Next.

9. On the Configure Certificate page, select Next.

10. Select Enable support for the WS-Federation Passive protocol.

11. Under Relying party WS-Federation Passive protocol URL, enter the reply URL you copied. AD FS requires that the website run HTTPS, not HTTP.

12. Select Next.

13. On the Configure Identifiers page, enter your site's URL, and then select Add.

    You can add more identities for each additional relying party website if needed. Users can authenticate using any available identities.

14. Select Next.

15. On the Configure Multi-factor Authentication Now? page, select I do not want to configure multi-factor authentication settings for this relying party trust at this time.

16. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party, and then select Next.

17. Review the trust settings, and then select Next.

18. Select Close.

19. In Edit Claim Rules, select one the following tabs, depending on the trust you're editing and in which rule set you want to create the rule:

    • Acceptance Transform Rules
    • Issuance Transform Rules
    • Issuance Authorization Rules
    • Delegation Authorization Rules

20. Select Add Rule.

21. In the Claim rule template list, select Transform an Incoming Claim, and then select Next.

22. Enter or select the following values:

    • Claim rule name: Transform Windows account name to Name ID

    • Incoming claim type: Windows account name

    • Outgoing claim type: Name ID

    • Outgoing name ID format: Unspecified

23. Select Pass through all claim values.

24. Select Finish, and then select OK.

Finish setting up the provider

After you set up the AD FS relying party trust:

1. Create an app registration in Azure.

2. Enter site settings in Power Pages.

See also

Set up a WS-Federation provider with Microsoft Entra ID