Migrate an Account Partner to a Claims Provider Trust in the AD FS 2.0 Federation Service

  • Article

Applies To: Active Directory Federation Services (AD FS) 2.0

Migrate an Account Partner to a Claims Provider Trust in the AD FS 2.0 Federation Service

You can use the following steps to record and then migrate the account partner settings in the Active Directory Federation Services (AD FS) 1.x Federation Service that are pertinent to a successful migration to claims provider trusts in the AD FS 2.0 Federation Service. A claims provider trust, as referred to in the AD FS 2.0 Management snap-in, is the equivalent to an account partner trust in AD FS 1.x.

When you finish all the steps, repeat 1 through 6 again for each account partner trust that appears in the AD FS 1.x Federation Service, until all trust settings have been migrated to equivalent claims provider trusts in the AD FS 2.0 Federation Service.

To complete this procedure, you must be a member of the Administrators group on the local computer.

Step 1: Export the account partner verification certificate to a file

In AD FS 1.x the verification certificate represents the public key infrastructure (PKI)/federated trust relationship between the AD FS 1.x Federation Service and the account partner organization. AD FS 2.0 requires this same certificate to create an equivalent trust in the AD FS 2.0 Federation Service.

Therefore, to successfully migrate an account partner trust, you will need to use this procedure to export this certificate to a file. You will need this certificate file to complete the next task in this checklist.

  1. On the AD FS 1.x federation server, click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click Partner Organizations, double-click Account Partners, right-click the account partner, and then click Properties.

  3. Click the Verification Certificates tab, highlight the certificate that you want to export, and then click View.

  4. In the Certificate dialog box, click the Details tab, and then click Copy to File.

  5. On the Welcome to the Certificate Export Wizard page, click Next.

  6. On the Export File Format page, ensure that DER encoded binary X.509 (.CER) is selected, and then click Next.

  7. On the File to Export page, type or browse to the location and file name that you want to use for the exported certificate, and then click Next.

  8. On the Completing the Certificate Export Wizard page, verify that the information you provided is accurate, and then click Finish.

  9. In the Certificate Export Wizard dialog box, click OK.

  10. In the Certificate dialog box, click OK.

  11. In the Trust Policy Properties dialog box, click OK.

Step 2: Document the account partner settings in the AD FS 1.x Federation Service

Use this step to record the required settings that are necessary for migrating each account partner to a claims provider trust in AD FS 2.0. In a later procedure, you will use the information that you entered in this table to populate the equivalent fields in the AD FS 2.0 Federation Service properties.

Note

All settings in the following table below are required for the successful migration of the account partner trust to AD FS 2.0.

Table 1.0

Step Locate the account partner trust setting in the AD FS snap-in Record the account partner trust setting value here Displays the equivalent setting and page in the Add Claims Provider Trust Wizard in the AD FS 2.0 Management snap-in

1

Setting:

Display name

Found under:

Federation Service\Trust Policy\Partner Organizations\Account Partner Trust Properties\General Tab\

Setting:

Display name

Found on this wizard page:

Specify Display Name

2

Setting:

Federation Service URI

Found under:

Federation Service\Trust Policy\Partner Organizations\Account Partner Trust Properties\General Tab\

Setting:

Claims provider trust identifier

Found on this wizard page:

Configure Identifier

3

Setting:

Federation Service endpoint URL

Found under:

Federation Service\Trust Policy\Partner Organizations\Account Partner Trust Properties\General Tab\

Setting:

WS-Federation Passive URL

Found under:

Configure URL

Step 3: Migrate an account partner to a claims provider trust in the AD FS 2.0 Federation Service

Use the following procedure to create a claims provider trust in the AD FS 2.0 Federation Service using the values for the settings that you entered for this account partner trust in table 1.0.

  1. On the AD FS 2.0 federation server, click Start, point to Programs, point to Administrative Tools, and then click AD FS 2.0 Management.

  2. Under AD FS 2.0\Trust Relationships, right-click Claims Provider Trusts, and then click Add Claims Provider Trust to open the Add Claims Provider Trust Wizard.

  3. On the Welcome page, click Start.

  4. On the Select Data Source page, click Enter claims provider trust data manually, and then click Next.

  5. On the Specify Display Name page, under Display name, type the value that you recorded in table 1.0 for the Display Name setting, under Notes, type a description for this claims provider trust, and then click Next.

  6. On the Choose Profile page, do one of the following:

    • Click AD FS 2.0 Profile, click Next, and then go to step 7.

    • Click AD FS 1.0 and 1.1 profile, click Next, and then go to step 8.

    If you know that you will require interoperability between this claims provider trust and other, older Active Directory Federation Services (AD FS) account partner trusts, click AD FS 1.0 and 1.1 profile. Otherwise, use the default AD FS 2.0 profile option.

  7. On the Configure URL page, do one or both of the following, click Next, and then go to step 9:

    • Select the Enable support for the WS-Federation Passive protocol check box. Under WS-Federation Passive protocol URL, type the value that you recorded in table 1.0 for the Federation Service endpoint URL setting, and then click Next.

    • Select the Enable support for the SAML 2.0 WebSSO protocol check box. Under SAML 2.0 SSO service URL, type the SAML service endpoint URL for this claims provider trust, and then click Next.

    Click the Help button on this page for more information about which of these options apply to the needs of your organization.

  8. On the Configure URL page, under Web browser authentication URL, type the value that you recorded in table 1.0 for the Federation Service endpoint URL setting, and then click Next.

  9. On the Configure Identifier page, under Claims provider trust identifier, type the value that you recorded in table 1.0 above for the Federation Service URI setting, and then click Next.

  10. On the Configure Certificates page, click Add to locate the verification certificate file that you exported earlier at the beginning of this procedure and add it to the list of certificates, and then click Next.

  11. On the Ready to Add Trust page, click Next to save your claims provider trust information.

  12. On the Finish page, click Close. This action automatically displays the Edit Claim Rules dialog box that is associated with this new claims provider trust.

    At this point, leave the Edit Claim Rules dialog box open on the AD FS 2.0 federation server. You will need it in step 4 to configure claim rules that are equivalent to the claim mapping that you have associated with the account partner trust that you are migrating from in AD FS 1.x.

Step 4: Document the claim mappings that are associated with the account partner trust in the AD FS 1.x Federation Service

Document each claim mapping that is enabled for the account partner trust. In the next procedure, you use the information that you type in the following table to populate the equivalent fields that will appear in the claim rule dialog box.

Before you enter this information into the table, navigate to the following location in the AD FS 1.x snap-in to locate the claim mappings. Make sure to only enter the claim mappings that are enabled.

Navigate to Federation Service\Trust Policy\Partner Organizations\Account Partners, and then click the account partner trust that you are migrating.

Table 1.1

Record the claim mappings that are enabled for this account partner (one per row) Provide a description of the claim mappings

Step 5: Migrate claim mappings to a claims provider trust in the AD FS 2.0 Federation Service

You can use these procedures on the AD FS 2.0 federation server to create a claim rule for each corresponding claim mapping that you recorded in table 1.1. These procedures show how to create common claim rules based on the following common claim types:

  • E-mail

  • UPN

  • Common Name

  • Group

Migrate an E-mail claim mapping

  1. In the Edit Claim Rules dialog box, click Add Rule to start the rule wizard that is associated with the Acceptance Transform Rules rule set.

  2. On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim in the list, and then click Next.

  3. On the Configure Rule page:

    • Under Claim rule name, type a display name for this rule.

    • In Incoming claim type, select AD FS 1.x E-mail Address in the list.

    • In Outgoing claim type, select AD FS 1.x E-mail Address in the list.

  4. Select Pass through all claim values.

  5. Click Finish.

  6. In the Edit Claim Rules dialog box, click OK to save the rule to this rule set.

Migrate a UPN claim mapping

  1. In the Edit Claim Rules dialog box, click Add Rule to start the rule wizard again.

  2. On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim in the list, and then click Next.

  3. On the Configure Rule page:

    • Under Claim rule name, type a display name for this rule.

    • In Incoming claim type, select UPN in the list.

    • In Outgoing claim type, select UPN in the list.

  4. Select Pass through all claim values.

  5. Click Finish.

  6. In the Edit Claim Rules dialog box, click OK to save the rule to this rule set.

Migrate a Common Name claim mapping

  1. In the Edit Claim Rules dialog box, click Add Rule to start the rule wizard again.

  2. On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim in the list, and then click Next.

  3. On the Configure Rule page:

    • Under Claim rule name, type a display name for this rule.

    • In Incoming claim type, select Common Name in the list.

    • In Outgoing claim type, select Common Name in the list.

  4. Select Pass through all claim values.

  5. Click Finish.

  6. In the Edit Claim Rules dialog box, click OK to save the rule to this rule set.

Migrate a Group claim mapping

  1. In the Edit Claim Rules dialog box, click Add Rule to start the rule wizard again.

  2. On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim in the list, and then click Next.

  3. On the Configure Rule page:

    • Under Claim rule name, type a display name for this rule.

    • In Incoming claim type, select Group in the list.

    • In Outgoing claim type, select Group in the list.

  4. Select Replace an incoming claim value with a different outgoing claim value.

  5. In Incoming claim value, type the name of the group (for example, temps), and, in Outgoing claim value, type the name of the new group (for example, vendors).

  6. Click Finish.

  7. In the Edit Claim Rules dialog box, click OK to save the rule to this rule set.