Академический Документы
Профессиональный Документы
Культура Документы
Abstract
This guide provides instructions for using Active Directory Federation Services (AD FS) 2.0 in a
small test lab environment. The purpose is to demonstrate how two fictitious companies can
collaborate on documents using a federated trust that provides claims-based access using
AD FS 2.0. The instructions in this guide should take approximately 90 minutes to complete.
This document is provided "as-is". Information and views expressed in this document, including
URL and other Internet Web site references, may change without notice. You bear the risk of
using it.
Some examples depicted herein are provided for illustration only and are fictitious. No real
association or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. You may copy and use this document for your internal, reference purposes.
You may modify this document for your internal, reference purposes.
© 2010 Microsoft Corporation. All rights reserved.
Active Directory, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT,
Windows Server, and Windows Vista are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries. All other trademarks are
property of their respective owners.
Contents
Federated Document Collaboration Using Microsoft Office SharePoint Server 2007 and
AD FS 2.0....................................................................................................................................2
Contents........................................................................................................................................71
Federated Document Collaboration Using Microsoft Office SharePoint Server 2007 and AD FS
2.0..............................................................................................................................................72
About this guide.........................................................................................................................72
Scenario Overview........................................................................................................................73
Preinstallation Tasks.....................................................................................................................79
Download and extract VMs........................................................................................................79
Step 1: Set Microsoft Office SharePoint Server 2007 to accept tokens from the Contoso
federation server........................................................................................................................82
Step 2: Add the Domain Admins group as Administrator for the SharePoint site..........................83
Step 3: Configure the Contoso federation server to issue tokens to the SharePoint site..............87
Step 5: Configure the Contoso federation server to accept tokens from the Fabrikam federation
server.......................................................................................................................................101
Step 8: Configure the Contoso federation server to get values from a SQL data store...............118
Important
Any modifications that you make to the configuration details in this guide may affect or
limit your chances of setting up this lab successfully the first time.
Microsoft has tested this guide successfully using Windows Server 2008 Hyper-V virtualization
technology.
The instructions in this guide should take approximately 90 minutes or less to complete. Your time
to complete the steps in this guide may vary, depending on whether you have to set up a
computer that is suitable for hosting the virtual lab environment.
Scenario Overview
This section includes background information about the fictional companies in this document. It
also identifies their business goals and briefly describes the technologies that are used to achieve
these goals.
Using AD FS 2.0 to provide role and user access to the SharePoint site
In steps 1 through 4, we configure Microsoft Office SharePoint Server 2007 to use AD FS 2.0
instead of Active Directory or AD DS for obtaining role and user information. In addition, we
configure AD FS 2.0 in the Contoso domain to issue role and user information to the SharePoint
site.
Note
The following sections assume that you are working with the hands-on lab VM images
that are provided for download on the Microsoft Web site. We recommend downloading
the images if your intent is to evaluate the scenario and AD FS 2.0 technology in the
shortest possible time frame. If you have more time and prefer to do so, you can build
your own VM lab images for each of the four computers. This requires considerably more
time to install and configure all the necessary software. For more information, see How to
Set Up the AD FS 2.0 VM Lab Environment (http://go.microsoft.com/fwlink/?
LinkId=179632).
Preinstallation tasks include the following:
• Download and extract VMs
• Create a new virtual network
• Import and start virtual machines
Administrative credentials
To perform all the tasks in this guide, log on to the virtual server computer—and to each of the
four VMs that you create on it—with the local Administrator account for each computer. Where
applicable, user passwords for accounts that are preconfigured as part of the VM images are
provided.
To utilize the downloadable VM images that are referenced in this guide, you should
import and then and run them using a host server computer running Microsoft Hyper-V™
under Windows Server® 2008 R2.
For the purposes of this step by step guide, if you did not create your own set of VMs, download
the following files from the Microsoft Download Center (http://go.microsoft.com/fwlink/?
LinkId=148506).
• ContosoSrv01.zip
• ContosoSrv02.zip
• FabrikamSrv01.zip
• FabrikamSrv02.zip
• WS2008R2Fullx64Ent.zip
When the download is complete, extract the contents of the .zip files to a folder where the VMs
will reside; for example, extract the folder, ContosoSrv01, which is located in the
ContosoSrv01.zip file to c:\VM\. Repeat the step for Contososrv02, FabrikamSrv01, and
FabrikamSrv02.
Note
For configuring the VMs using the images from the Microsoft Download Center, you will
need 100 GB of available disk space on the computer that you use to host the four VMs
that are referenced in this guide.
WS2008R2Fullx64Ent.zip file contains the base VHD that must be copied to the virtual hard disks
folder of each one of the VMs. For example, for ContosoSrv01, copy the extracted
WS2008R2Fullx64Ent.vhd from WS2008R2Fullx64Ent.zip to c:\VM\ContosoSrv01\Virtual Hard
Disks\ folder. Repeat the same step for ContosoSrv02, FabrikamSrv01, and FabrikamSrv02.
The downloadable virtual machine (VM) images that are referred to in this guide that are
made available on the Microsoft Download Center can only be imported and run on a
host server computer that is running Microsoft Hyper-V on Windows Server 2008 R2.
The following table describes what is installed, along with the appropriate names and RAM
settings to use for best results when you import the four VMs with Hyper-V.
Repeat steps 1 through 4 for all named VMs in the previous table. We recommend that you not
start all four VMs at the same time. Instead, it’s preferable for performance reasons to start each
VM by itself. When the VM is turned on and running, start another VM. Also, the order in which
you start VMs by using Hyper-V Manager is important. For best results, start the four VMs one at
a time in the following order: CONTOSOSVR01, FABRIKAMSRV01, CONTOSOSRV02,
FABRIKAMSRV02.
If, after turning the VM on and logging in, you are prompted to restart the VM, choose to restart.
To configure the SharePoint site to trust and use the Contoso federation server
Note
SharePoint creates the administrator configuration folder with random number. In
this case, it was created in folder 37101. It might be different for you.
4. For the Application configuration location, browse to
c:\inetpub\wwwroot\wss\VirtualDirectories\docs.contoso.com443, and then select
web.config.
5. For the application URI, type https://docs.contoso.com.
6. For SharePoint Security Zone for the Application, select Extranet, and then click
Next.
7. For STS WS-Federation metadata document location, type
https://sts1.contoso.com, and then click Next.
8. On the next screen, keep Disable certificate chain validation, and then click Next.
9. On the next screen, keep the No encryption option selected, and then click Next.
10. Click Next again, and then click Finish. After you click Finish, it will take few minutes
to configure.
11. Click OK when the SharePoint site is fully configured.
To add the Domain Admins group to the Administrators group for the SharePoint site
On the next page, we change to the SharePoint site that we are actually configuring.
5. Click the Web Application drop-down list, and then click Change Web Application.
6. In the Select Web Application window that pops up, click Sharepoint:80 for the site
to be configured.
7. On the Policy for Web Application page, click Add Users.
8. In the Zones drop-down list, select the Extranet zone to which we will add users,
and then click Next.
9. On the next page, we add the Domain Admins role. In the Users text box, type
Role#Domain Admins. To give Domain Admins Full Control permissions, select the
check box for Full Control, and then click Finish.
Note
The Role# prefix tells the custom Role provider that Domain Admins is a role. If
you add Domain Admins without this prefix, Domain Admins are treated as users.
10. On the next page, you see the Domain Admins role added with full control of the site.
Step 3: Configure the Contoso federation
server to issue tokens to the SharePoint
site
In this step, we configure the federation server in the Contoso domain to issue tokens to the
SharePoint site. That is, we add the SharePoint site as the relying party. We also configure the
Contoso federation server to use Active Directory as the source of role and user information.
To add the SharePoint site as a relying party for the Contoso federation server
Now that we have added the SharePoint Site as a relying party, we configure the claims to send
to it.
To add the DrugTrial1Admins role with administrator access to the SharePoint site
4. Back on the SharePoint site, on the Site Actions menu, click Site Settings, and then
click People And Groups.
5. To add a group to the Home Owners group, click the Home Owners link in the
Groups pane.
6. On the next page, click New, and then click Add Users.
7. In Users/Groups, type Role#DrugTrial1Admins, and then click OK.
On the next page, you see Role#DrugTrial1Admins as a member of the Home Owners group.
To add the DrugTrial1Auditors role with visitor access to the SharePoint site
1. In the browser window that you opened to the SharePoint administration site
previously, under Groups, click Home Visitors.
2. On the next page, click New, and then click Add Users.
3. In the input box, type Role#DrugTrial1Auditors, and then click OK.
4. Role#DrugTrial1Auditors appears in the Home Visitors group.
To verify that the new roles are working when you access the SharePoint site
To add the Fabrikam federation server as a claims provider at the Contoso federation
server
4. The Add Identity Provider Wizard opens. Click Start to begin the wizard.
5. On the Choose Data Source page, click Import identity provider configuration
from federation metadata on the network. For Federation metadata URL or host
name, type sts2.fabrikam.com, and then click Next.
6. On the next page, type a name for the identity provider (Fabrikam Identity
Provider), and then click Next.
7. Click Next on the screen that appears, and then click Close when the wizard finishes
saving the policy.
When the wizard exits, the Rules Editor opens and we can specify which claims (and the
values for those claims) to accept from the Fabrikam federation server. In the Rules
Editor, we are going to add two new rules. In the first rule, we will only pass through the
email claim if it ends with "@fabrikam". For the second rule, we will only pass through the
Role claim if it has a value of "DrugTrial1Auditors".
To configure the claims acceptance policy for the Fabrikam identity provider
To update the claims issuance policy for the SharePoint site on the Contoso federation
server
To add the Contoso federation server as a relying party on the Fabrikam federation
server
4. The Add Relying Party Wizard opens, as shown in the following illustration. Click
Start to begin adding the SharePoint site as a relying party.
5. On the Select Data Source page, keep the default option selected, click Import data
about the relying party published online or on a local network, type
sts1.contoso.com, and then click Next.
6. On the Specify Display Name page, type Contoso STS for a display name, and
click Next.
7. Complete the rest of the wizard with the default options selected. Click Close at the
end to start the Rules Editor.
Note
Accessing a document that is present at the SharePoint site directly from Microsoft
Office Word requires Microsoft Office Service Pack 2 (SP2) and Windows Vista®
SP2. Also, for Group Policy changes to take effect from the changes we made in the
previous step, restart the FABRIKAMCLT01 VM before you continue with this step.
To open a document directly from the SharePoint site using Microsoft Office Word
1.
Note
Accessing a document that is present at a federated SharePoint site directly from
Microsoft Office Word requires Microsoft Office Service Pack 2 (SP2) and
KB969413.
Log on to the FABRIKAMSRV02 computer as user "frankm" with "demo!23" as the user
password.
2. Open Microsoft Office Word.
3. Click the Word Office button, and then click Open.
4. Type the URL of the document that is located on the SharePoint site as follows:
https://docs.contoso.com/Docs/Documents/Contoso%20-%20Statement%20of
%20General%20Terms.docx
5. You should see the same browser experience that you saw when accessing the
SharePoint site using Internet Explorer. After you select your identity provider, you will be
authenticated and the document will be downloaded directly from the federate SharePoint
site.
Table 2(dbo.TS) contains information about which SharePoint site belongs to which drug trial.
Table 3(dbo.RS) maps the roles in the database to the roles in the Contoso SharePoint site.
To begin using these roles, we must first add these roles to the SharePoint site and give them the
correct access permissions.
5. To add the sp_admins group, in the left pane, click Home Owners, click New, and
then click Add Users.
6. On the new screen, type Role#sp_admin in the text box, and then click OK.
7. Delete the previously added administrator role. Select the Role#DrugTrial1Admins
check box. On the Actions menu, click Remove Users from Group, and then click OK
in the confirmation dialog box.
8. To add the sp_visitor, under Groups, click Home Visitors, click New, and then click
Add Users.
9. On the next screen, type Role#sp_visitor in the text box, and then click OK.
10. Delete the previously added role. Select Role#DrugTrial1Auditors. In the Actions
pane, click Remove Users from Group, and then click OK in the confirmation dialog
box.
Now, we update the Contoso federation server to also pull role claim values from the SQL
database on this computer.
To add a local SQL database as an attribute store for the Contoso federation server
1. Log on (if you are not still logged on) to the CONTOSOSRV01 computer as
CONTOSO\Administrator with "demo!23" as the user password.
2. Open the AD FS 2.0 Management console (if it is not still open).
On the Start menu, click All Programs, point to Administrative Tools, and then click
AD FS 2.0 Management.
3. In the console tree, expand Trust Relationships, and then click Attribute Stores.
4. In the Actions pane, click Add Attribute Store.
5. Clicking the link opens the Add an Attribute Store dialog box. Type HOL Doctors
Role as the display name. For Attribute Store Type, select SQL, type the following
connection string, and then click OK to finish. For your convenience, this command is in a
text file on the desktop, called DataBase Connect:
Data Source=CONTOSOSRV01;Initial Catalog=HOL Doctors Role;Integrated Security=True
Now that we have connected to the database, we must update the SharePoint rules in the
Contoso federation server regarding where to get role claim values:
To update policy to pull role claim values from the SQL attribute store
1. In the console tree of the AD FS 2.0 Management console, under AD FS 2.0 and
Trust Relationships, click Relying Party Trusts. In the Replying Party Trusts list, click
SharePoint Docs Site on Contoso, and then in the Actions pane, click Edit Claim
Rules.
2. The Rules Editor opens. To create a new custom rule, click Add Rule.
3. In the new window that appears, click Send Claims Using a Custom Rule, and then
click Next.
4. In the first rule, we see which trial the https://docs.contoso.com/ site belongs to. The
custom rule is presented here. For the Claim rule name, type Trial Lookup and for
Custom rule, type the following, and then click Finish. (For convenience, this role is
saved in a file called Custom Rule1 on the desktop. You can copy and paste it from
there.)
=> add(store = "HOL Doctors Role", types =
("http://schemas.microsoft.com/ws/2008/06/identity/claims/trial"), query = "select
trial from dbo.TS where dbo.TS.SharePointSite = {0}", param =
"https://docs.contoso.com/");
query = "select role from dbo.URT where dbo.URT.Trial = {1} and
dbo.URT.UserName={0}", param = c1.Value, param = c2.Value);
6. Now we create a third custom rule. In the third rule, we use a previously queried role
claim to query the SharePoint role claim and assign the value to the outgoing role claim.
To add another custom rule, click Add Rule, select Send Claims Using a Custom Rule,
and then click Next. For Claim rule name, type SharePoint Role and for Custom rule,
type the following presented here. (For convenience, this role is saved in a file called
Custom Rule3 on the desktop. You can copy and paste it from there.)
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/incomingtrialrole"] =>
issue(store = "HOL Doctors Role", types =
("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "select
dbo.RS.SharePointGroup from dbo.RS where dbo.RS.Role = {0}", param = c.Value);
7. Click OK to save these new rules and exit the Rules Editor.
Now that the issuance rules are in place to pull claims from the SQL-based attribute store, we can
test the new policy by accessing the SharePoint site. First, we access the site from within
Contoso.
To verify revisions in access policy to the SharePoint site from within Contoso
Now that you have verified that Daniel from the Contoso domain has write access, try logging in
to the SharePoint site from a computer in the Fabrikam domain with Frank’s account.
To verify revisions in access policy to the SharePoint site from within Fabrikam
3. On the next page, click Active Directory Federation Services, and then click Next.
4. On the next page that appears, click Next.
5. On the next page that appears, click AD FS Web Agent. Select only the Claims-
aware Agent check box, and then click Next.
6. On the next page, click Install, and then click Close after the installation is complete.
Now that we added all the roles and services, we have to turn AD RMS on for federation.
5. On the Specify Display Name page, in Display name, type AD RMS Certification
Service, and then click Next.
6. On the Choose Profile page, click AD FS Profile 1.0 and 1.1 profile, and then click
Next.
7. On the Configure URL page, for WS-Federation Passive URL, type
https://adrms.contoso.com/_wmcs/certificationexternal/, and then click Next.
8. On the Configure Identifiers page, click Next.
9. On Choose Issuance Authorization Rules page, keep the default option, Permit all
users to access this relying party, selected and click Next.
10. On the next page, click Next.
11. On the Finish page, click Close.
This opens the Rules Editor. The AD RMS Licensing Service is expecting the e-mail
address of the user.
Now, we create two rules. In the first rule, we take the e-mail address for the user from the
Lightweight Directory Access Protocol (LDAP) attribute store and send it as an AD FS e-mail
address claim. In the second rule, we take the incoming e-mail claim from Fabrikam and convert
that also into an AD FS e-mail claim.
To update policy to process e-mail claims for the AD RMS Licensing Service
1. In the Rules Editor, click Add Rule. In the new window that appears, select Send
LDAP Attributes as Claims, and then click Next.
2. For the Claim rule name, type Email as AD FS 1.x Email. For Attribute store,
select Active Directory. In LDAP attribute, select E-Mail-Addresses; and in Outgoing
Claim Type, select AD FS 1.x E-Mail Address. Click Finish.
3. For the second rule, click Add Rule. In the new window that appears, select
Transform an Incoming Claim, and then click Next.
4. For the Claim rule name, type Transform incoming Email to AD FS 1.x Email. For
Incoming claim type, select E-Mail Address; and in Outgoing claim type, select
AD FS 1.x E-Mail Address and then click Finish. Click Yes in the dialog box that
appears.
5. For the third rule, click Add Rule. In the new window that appears, select Transform
an Incoming Claim, and then click Next.
6. For the Claim rule name, type Transform AD FS 1.x Email to Name Identifier. For
Incoming claim type, select AD FS 1.x E-Mail Address; and in Outgoing claim type,
select Name ID, and in Outgoing name ID format, select Email, and then click Finish.
Click Yes in the dialog box that appears.
7. Click OK to exit the Rules Editor.
To add the AD RMS Licensing Service, repeat the same steps that you completed to add the
certification service, except give it a friendly name of AD RMS Licensing Service and enter the
URL as https://adrms.contoso.com/_wmcs/licensingexternal/.
Before we try out the scenario, we must do one more thing. We must make changes to the
SharePoint site so that any document leaving a document library should be automatically rights
protected for the user who is downloading it. Also, we must make sure that the SharePoint server
is aware of where the AD RMS server is located.
First, to configure the SharePoint server where the AD RMS server is located, we log in to the
SharePoint central administration Web site.
Now that we have configured AD RMS to work with the SharePoint server on CONTOSOSRV02,
we will configure one of the document libraries on the SharePoint site at https://docs.contoso.com
to be rights-protected. The level of protection will be configured in such a way that any document
that is downloaded from the protected document library will be restricted based on the e-mail
address of the user who is downloading it.
To disable the token encryption between Fabrikam and Contoso AD FS 2.0 servers
We now need to make some changes to keys in the Windows registry on the Fabrikam client
computer (FABRIKAMSRV02) so that the AD RMS client knows how to find the identity provider
that it will use to authenticate with the AD RMS server at Contoso Pharmaceuticals
(CONTOSOSRV01) based on the e-mail address of the user that is download the document.
To configure the Fabrikam client computer to be able to find and use the Contoso
AD RMS server
To have a Fabrikam user test AD RMS protection for protected document library on the
Contoso SharePoint site
5. For site settings, enter the corresponding values for the following fields and leave rest
of the settings as default:
Title Confidential
Description Contains confidential documents
Now we will integrate the sample claims authorization library located in “C:\StepUpAuthentication”
with SharePoint.
Note
If you are using the VMs that were pre-created a sample dll has been created and placed
in the folder.
1. Open a Command Prompt window. On the Start menu, click Run, type cmd, and then
click OK.
2. At the command prompt, type cd “c:\Program Files\Microsoft.NET\SDK\v2.0
64bit\bin”, and press ENTER.
3. Type gacutil.exe /i c:\ StepUpAuthentication\ClaimsAuthorization.dll /f. This adds the
assembly into the GAC.
4. Now we need to edit the web.config of docs.contoso.com SharePoint site. Type cd
c:\inetpub\wwwroot\wss\VirtualDirectories\docs.contoso.com443 and press ENTER.
5. Type notepad.exe web.config.
6. Locate the element <assemblies> (it is located under
<configuration>/<system.web>/<compilation>). Add the following line:
<add assembly="ClaimsAuthorization, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=400a0b56d39a55eb"/>
<add name="StepUpAuthenticationModule"
type="ClaimsAuthorization.StepUpAuthenticationModule, ClaimsAuthorization,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=400a0b56d39a55eb"/>
Now, we will author the policy that would only grant access to Confidential site to users who
have authenticated with the X.509 certificate.
8. In Notepad, locate the element <service> under
<configuration>/<microsoft.identityModel>. Add the following lines immediately after the
line with the tag <service>.
<claimsAuthorizationManager
type="ClaimsAuthorization.CustomClaimsAuthorizationManager">
<strongAuthenticationTypes>
<authenticationType
type="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient"/>
<authenticationType
type="http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsc
lient"/>
</strongAuthenticationTypes>
<authorization>
</policy>
<allow claimType="*"/>
</policy>
</authorization>
</claimsAuthorizationManager>
9. Save the changes to web.config. In the menu of Notepad, click File, then click Save.
Close Notepad.
1. Log on (if you are not still logged on) to the CONTOSOSRV01 computer as
CONTOSO\Administrator with "demo!23" as the user password.
2. Open the AD FS 2.0 Server Management Console (if it is not still open).
3. On the Start menu, click All Programs, point to Administrative Tools, and then
click AD FS 2.0 Management.
4. In the console tree, double-click Trust Relationships, and then click Claim Provider
Trusts.
5. In the Claims Provider Trusts column, click Active Directory, and then click Edit
Claim Rules in the right-hand column.
6. In the Rule Editor, click Add Rule and in the wizard, click Next.
7. For the Claim rule name, type Email and Role claim lookup, for Attribute store,
select Active Directory. In the LDAP Attribute column, select E-Mail-Addresses for the
outgoing E-mail Address claim, and Token-Groups – Unqualified Names for the Role
claim, and then click Finish. Click OK to exit the Rules Editor.
8. In the console tree, double-click Trust Relationships, and then click Relying Party
Trusts. In the Replying Party Trusts list, click SharePoint Docs Site on Contoso, and
then in the Actions pane, click Edit Claim Rules.
9. In the Rules Editor, select the top-most rule in the list, and then click Remove Rule.
Click Yes in the dialog box that appears.
10. Click the Issuance Authorization Rules tab, select the only single item in the list,
and then delete it by clicking Remove Rule.
11. Now we are going to add three rules to query the role information from the SQL
database, based on the e-mail address. The rules are custom rules, and they are the
same rules that we added in the previous section. For the first rule, click Add Rule. In the
wizard that appears, select Send Claims Using a Custom Rule, and then click Next. In
the first rule, we see which trial the https://docs.contoso.com/ site belongs to. The custom
rule is presented here. For the Claim rule name, type Trial Lookup, and for Custom
rule, type the following, and then click Finish. (For convenience, this role is saved in a
file called Custom Rule1 on the desktop. You can copy and paste it from there.)
=> add(store = "HOL Doctors Role", types =
("http://schemas.microsoft.com/ws/2008/06/identity/claims/trial"), query =
"select trial from dbo.TS where dbo.TS.SharePointSite = {0}", param =
"https://docs.contoso.com/");
12. Add a second custom rule. In this rule, we use the previously queried trial information
with the user’s e-mail address and discover which role the user belongs to. To add
another custom rule, click Add Rule, select Send Claims Using a Custom Rule, and
then click Next. For Claim rule name, type User Role, and for Custom rule, type the
following, and then click Finish. (For convenience, this role is saved in a file called
Custom Rule2 on the desktop. You can copy and paste it from there.)
c1:[Type ==
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
&& c2:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/trial"]
13. Now we create a third custom rule. In the third rule, we use a previously queried role
claim to query the SharePoint role claim and assign the value to the outgoing role claim.
To add another custom rule, click Add Rule, select Send Claims Using a Custom Rule,
and then click Next. For Claim rule name, type SharePoint Role, and for Custom rule,
type the following, and then click Finish. (For convenience, this role is saved in a file
called Custom Rule3 on the desktop. You can copy and paste it from there.)
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/incomingtrialrole"]
14. Now that we have gathered all the role information, we will place three new rules. In
each rule, we will check to see if the role value is one of domain_admins, sp_visitor or
sp_admin. For the first rule, click Add Rule. In the wizard page that appears, keep the
default option, Permit or Deny Users Based on an Incoming Claim, and then click
Next. On the next page, for Claim rule name, type Permit Domain Admins, for
Incoming claim type, select Role in the drop-down menu, and for Incoming claim
value, type Domain Admins, and then click Finish.
15. For the other two rules, repeat the instructions in step 14 with Claim rule name as
Permit sp_visitor and Permit sp_admin and an Incoming claim value of sp_visitor
and sp_admin.
To try out this scenario, log on to ContosoSrv01 and navigate to https://docs.contoso.com. Sign in
as either contoso\administrator or contoso\danielw at the Contoso sign-in page. You will have
access to the SharePoint site. This is because contoso\administrator belongs to Domain Admins
group in AD DS and danielw maps to sp_admin group, based on the information in the SQL
database.
Try accessing the https://docs.contoso.com from the FabrikamSrv01 computer as
fabrikam\frankm. You will see that Frankm has access to the SharePoint site because frankm’s e-
mail address maps to the sp_visitor role in the SQL database. Now try accessing the
https://docs.contoso.com site as fabrikam\alices. You will see access denied for Alice at the
Contoso AD FS Web site because Alice’s account does not map to any role values for which we
just added rules.
Congratulations! This concludes our walkthrough of federated document collaboration using
Microsoft Office SharePoint Server 2007 with AD FS 2.0.