Configure the AD FS server for IFD

 

Applies To: Dynamics 365 (on-premises), Dynamics CRM 2016

After you have enabled IFD on the Microsoft Dynamics 365 Server you will need to create a relying party for the IFD endpoint on the AD FS server.

Configure relying party trusts

1. On the computer that is running Windows Server where the AD FS federation server is installed, start AD FS Management.

2. In the Navigation Pane, expand Trust Relationships, and then click Relying Party Trusts.

3. On the Actions menu located in the right column, click Add Relying Party Trust.

4. In the Add Relying Party Trust Wizard, click Start.

5. On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL to locate the federationmetadata.xml file.

   This federation metadata is created during IFD Setup, for example, https://auth.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml.

   Type this URL in your browser and verify that no certificate-related warnings appear.

6. Click Next.

7. On the Specify Display Name page, type a display name, such as Dynamics 365 IFD Relying Party, and then click Next.

8. On the Configure Multi-factor Authentication Now page, make your selection and click Next.

9. On the Choose Issuance Authorization Rules page, click Permit all users to access this relying party, and then click Next.

10. On the Ready to Add Trust page, on the Identifiers tab, verify that Relying party identifiers has three identifiers such as the following:

    • https://auth.contoso.com

    • https://orgname.contoso.com

    • https://dev.contoso.com

    If your identifiers differ from the above example, click Previous in the Add Relying Party Trust Wizard and check the Federation metadata address.

11. Click Next, and then click Close.

12. If the Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule.

    Important

    Be sure the Issuance Transform Rules tab is selected.

13. In the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

14. Create the following rule:

    • Claim rule name: Pass Through UPN (or something descriptive)

    • Add the following mapping:

      1. Incoming claim type: UPN

      2. Pass through all claim values

15. Click Finish.

16. In the Rules Editor, click Add Rule, and in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

    • Claim rule name: Pass Through Primary SID (or something descriptive)

    • Add the following mapping:

      1. Incoming claim type: Primary SID

      2. Pass through all claim values

17. Click Finish.

18. In the Rules Editor, click Add Rule,

19. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

20. Create the following rule:

    • Claim rule name: Transform Windows Account Name to Name (or something descriptive)

    • Add the following mapping:

      1. Incoming claim type: Windows account name

      2. Outgoing claim type: Name

      3. Pass through all claim values

21. Click Finish, and, when you have created all three rules, click OK to close the Rules Editor.

For Windows Server 2016, run a cmdlet

If you're AD FS server is running Windows Server 2016, run the following Windows PowerShell cmdlet:

Grant-AdfsApplicationPermission -ClientRoleIdentifier "<ClientRoleIdentifier>" -ServerRoleIdentifier <ServerroleIdentified>

1. ClientRoleIdentifier : the ClientId of your Adfsclient. For example: e8ab36af-d4be-4833-a38b-4d6cf1cfd525

2. ServerroleIdentified : the Identifier of your relying party. For example: https://adventureworkscycle3.crm.crmifd.com/

For more information, see Grant-AdfsApplicationPermission.

See Also

Implement claims-based authentication: external access

© 2017 Microsoft. All rights reserved. Copyright