Configuring ADFS 4.0 (Windows Server 2016)

1. Go to the server on which ADFS is installed and launch the AD FS Management application.

2. Expand the Trust Relationships node and click on the Relying Party Trusts node.

3. Click on the Add Relying Party Trust link in the right pane to start the Add Relying Party Trust wizard

   

4. Select the Claims aware radio button and click the Start button to continue.

   

5. Select the Import data about the relying party from a file radio button. Browse to select the Metadata XML file you downloaded from Secret Server in earlier steps. Once uploaded, click Next to continue

   .

6. Choose and enter a Display Name for this Relying Party and any additional notes you may want. Click Next to continue.

   

7. Choose the Permit everyone access control policy and then click Next to continue. You may optionally select another access control policy to permit only a smaller subset of users and/or require multi-factor authenticator (MFA), if needed; however, these other access control policies will not be covered in this configuration.

   

8. Click Next in the next window.

   

9. On the Finish page, make sure the Configure claims issuance policy for this application

   

Create Claim Rules for the Secret Server Relying Party

We have now created the Relying Party trust in ADFS for Secret Server; however, we must set a claim rule so that ADFS relays information to Secret Server to describe the user’s identify and authenticate.

1. Let’s turn our attention to the “Edit Claim Issuance Policy…” dialog window that comes up after the prior steps.

   

2. Click the Add Rule button.

3. Under Claim rule template, select Send LDAP Attributes as Claims. Click Next to continue.

   

4. Fill out the information:

   1. Claim rule name: Optional

   2. Attribute Store: select Active Directory

   3. Add an LDAP Attribute of User-Principal-Name

   4. Outgoing Claim Type of Name ID

   5. Click Finish

5. Click on Apply and OK.

   

6. Download your Metadata for the Relying Party Trust you created for Secret Server. There are several methods

   1. Navigate to https://[YOURSERVERNAME]/FederationMetadata/2007-06/FederationMetadata.xml to download the Metadata for your ADFS IDP. The file will automatically download.

   2. Run the PowerShell script on this page.