- Open the federationmetadata.xml file from the ADFS server that users will be authenticating against (we'll call it IP) in the browser. By default the location will be https://myIpAdfsServer/FederationMetadata/2007-06/FederationMetadata.xml. If you get an untrusted certificate error in the browser you'll need to add the root authority certificate for the IP ADFS server's SSL to your trusted root authorities store. NOTE: This assumes that you have the same root authority certificate for both the SSL access to the IP ADFS web server and the IP ADFS token signing certificate. If they are not the same then you need to add the root certificate authority for BOTH to the local RP ADFS server's certificate store. To do that:
- Click through to view the web site, which should show the Xml file.
- Click on the View Certificates icon so you can see the SSL certificate that was used.
- Click on the Certificate Path tab.
- Double-click on the top certificate in the chain - this is the root authority certificate.
- Click on the Details tab.
- Click on the Copy to File... button and save the certificate in CER format to the local disk. You can now close out all of the certificate dialogs and browser.
- Open up the Certificates MMC; if you don't have a shortcut for this then just start the MMC from the Run menu, Add snap-ins, and add the Certificates snap-in for the Computer (local).
- Expand the Trusted Root Certification Authorities node, right-click on the Certificates node, and choose the Import menu. Follow the wizard to import the root authority .CER file you exported above.
- Open up the AD FS 2.0 Management application.
- Expand the Trust Relationships node, then right-click on the Claim Provider Trusts node and select Add Claims Provider Trust...
- Click the Start button to begin the wizard.
- Leave the default option selected to Import data about the claims provider published online or on a local network, and in the edit box put in the address to the FederationMetadata.xml file (https://myIpAdfsServer/FederationMetadata/2007-06/FederationMetadata.xml by default) then click the Next button. If your root authority certificate is correctly installed and the name can be resolved, then the wizard will continue to the next step. If not, you have troubleshooting to do.
- Provide a Display Name and optionally Notes, then click the Next button.