Creating a Relying Party Trust in the AD FS Management Console

Creating a Relying Party Trust (RPT) in Active Directory Federation Services (AD FS) establishes a secure trust relationship between the AD FS server and the Lazsa Platform, which relies on AD FS for user authentication. This trust enables Single Sign-On (SSO) functionality, where AD FS authenticates users before granting them access to the Lazsa Platform.

Prerequisites

Ensure you have the Federation Metadata XML file downloaded from the Lazsa Platform. After you complete the SSO configuration steps for Microsoft Active Directory in the First 24 Hours (F24H) Wizard, this file is available for downloading. This file contains the necessary configuration data to establish the trust.

For the configuration steps in the F24H Wizard, see First 24 Hours (F24H) Wizard (For Tenant Administrator).

Creating AD FS Relying Party Trust

To create a relying party trust in the AD FS management console, do the following:

  1. Open AD FS Management Console

    Log in to the ADFS server and open the management console. In Server Manager, click Tools and select AD FS Management.

    Open_ADFS_Management_Console

  2. Click Add Relying Party Trust

    Under the Actions pane, click Add Relying Party Trust... to start the wizard.

    Click Add Relying Party Trust

  3. Welcome Page

    On the Welcome page, select Claims aware and click Start.

    Click Claims aware > Start

  4. Select Data Source

    On the Select Data Source page, choose Import data about the relying party from a file.

    Browse to locate the Federation Metadata XML file downloaded from the Lazsa Platform, and click Next.

    Choose Import data about the relying party from a file

  5. Specify Display Name

    On the Specify Display Name page, enter a name in the Display name field (for example, Lazsa Platform Trust).

    Optionally, add a description in the Notes field for future reference.

    Click Next to proceed.

    Enter display name for relying party

  6. Choose Access Control Policy

    On the Choose Access Control Policy page, select the desired access control policy (for example, Permit everyone or a custom policy for user access).

    Click Next.

    Choose access control policy

  7. Ready to Add Trust

    Review the settings on the Ready to Add Trust page, then click Next to complete the creation of the relying party trust.

  8. Finish

    On the Finish page, click Close. This action will automatically display the Edit Claim Rules dialog box.

    On Finish screen, click Close

  9. Edit Claim Issuance Policy

    Right-click the trust you just created, and click Edit Claim Issuance Policy.

  10. Add Claim Rule

    In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules, click Add Rule to start the rule wizard.

    Click Add Rulerto speicfy claims to be sent to the relying party

  11. Select Rule Template

    On the Select Rule Template page, from the Claim rule template list, select Transform an Incoming Claim, and then click Next.

    Select Transform an Incoming Claim template

  12. Configure Rule

    On the Configure Rule page, do the following:

    1. Under Claim rule name, type the display name for this rule. (for example, Incoming Claim).

    2. In Incoming claim type, select Windows account name.

    3. In Outgoing claim type, select Name ID.

    4. In Outgoing name ID format, select Windows Qualified Domain Name.

    5. Click Finish.

      Configure rule to map incoming claim type to outgoing claim type

    6. In the Edit Claim Rules dialog box, click OK to save the rule.

  13. Create a Rule to Send LDAP Attributes as Claims

    In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules, click Add Rule to start another rule wizard.

  14. Select Rule Template

    On the Select Rule Template page, choose Send LDAP Attributes as Claims and click Next.

  15. Configure Rule

    On the Configure Rule page, do the following:

    1. Under Claim rule name, type the display name for this rule (for example, Outgoing Claim).

    2. Select Active Directory as the Attribute Store.

    3. Map LDAP attributes to the appropriate outgoing claim types. For example:

      • LDAP Attribute: E-mail-Addresses

      • Outgoing Claim Type: E-mail Address

    4. Click Finish.

  16. In the Edit Claim Rules dialog box, click OK to save all claim rules.

By following these steps, you have successfully created a Relying Party Trust in AD FS, enabling a secure federation relationship between your AD FS server and the Lazsa Platform. This setup allows AD FS to handle authentication requests from Lazsa users. Note that the steps may vary slightly depending on the AD FS version you use, but the overall process remains the same.

After you successfully create the relying party trust for the Lazsa Platform, return to the F24H Wizard screen and validate single sign-on.

Related Topics Link IconRecommended Topics

What's next? Platform Setup