Configuring Microsoft's AD Federation Service Relying Party Trust for Safeguard (4256264)

1.      Open the AD FS Management snap-in.

2.      Navigate to AD FS | Trust Relationships | Relying Party Trusts

3.      Right click and choose, Add Relying Party Trust…

4.      Choose Import data about the relying party from a file and browse to the Safeguard federation metadata file you downloaded previously.

5.      Give it a display name so you can identify it.

6.      Do not configure multi-factor authentication for now.

7.      Select Permit all users…

8.      Click the Next button until you get to the finish.

9.      Leave the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes checked and click the Close button.

10.   The Edit Claim Rules dialog window should open.  If not, right click on the new Relying Party Trust and choose Edit Claim Rules…

11.   Click the Add Rule… button.

12.   Proceed with the Send LDAP Attributes as Claims Claim rule template by clicking the Next button.

13.   Enter “Email as ID” for the Claim rule name.

14.   Choose “Active Directory” in the Attribute store drop-down list.

15.   Use the Mapping of LDAP attributes to outgoing claim types table to map the LDAP Attribute of “E-Mail-Addresses” to the “*E-Mail Address” Outgoing Claim Type.

16.   Click Finish.

17.   Click OK to close the dialog window.

18.   Use PowerShell to change newly created Relying Party signing certificate setting. Run command 'Set-ADFSRelyingPartyTrust -TargetName “<Display name>” -SigningCertificateRevocationCheck None'


NOTE: if using Safeguard in a clustered environment and you do not use a load balanced DNS name to access Safeguard, or you wish to be able to log in to a specific node, you must manually add additional Endpoints to the Relying Party Trusts properties.  For each clustered node's IP Address or DNS name that you wish to use, add a SAML Assertion Consumer endpoint with POST binding and a Trusted URL of: https://<safeguard_node>/RSTS/Login.