This is a quick example of configuring the Relying Party Trust in AD FS 2.0 with SAML 2.0. This guide will not cover setting up and configuring the AD FS system on a Windows Server. For more information on initial setup, please consult the Microsoft setup and configuration guides.
To configure the Relying Party Trust in AD FS 2.0 with SAML 2.0, take the following steps:
- Go to Administrative Tools.and click on AD FS 2.0 Management Console.
- Click on Trust Relationships section, and then Relying Party Trusts > Add Relying Party Trust.
- On the Select Data Source screen, select to Enter data about the relying party manually.
- Select a descriptive display name for service. This is only for your organization and does not impact the integration.
- Select the AD FS 2.0 Profile. SAML2 was not introduced until version 2.0 of AD FS.
- Skip the Configure Certificate step.
- Check the Enable Support for the SAML 2.0 WebSSO protocol box and enter the URL provided by Conga Contracts for the Relying party SAML 2.0 SSO service URL.
- Enter in the issuer that the Conga Contracts AuthnRequest provides. It is sso.novatuscontracts.com by default but this identifier must be unique across all relying party trusts so if more than one is configured ( as in for testing purposes), a different identifier needs to be entered for each user.
- Select issuance authorization rules. This is determined by the organization, but it is easiest to just permit all users access to this relying party. The following screen is a summary screen.
- Click next to add the trust relationship.
- On the final page, leave the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes unchecked and click the close button to launch the dialog.
- The dialog opens to the first tab for Issuance Transform Rules. Click the Add Rule… button at the bottom of the screen. This launches the Add Transformation Claim Wizard.
- Select the Send LDAP Attributes as Claims as the Claim rule template to user.
- For the claim rule name, select any descriptive name. For example, you can use “Default Mapping”.
- Click the attribute store dropdown and select Active Directory. Now for the basic authentication only scheme, Conga Contracts will only need to map the first attribute, which is User-‐Principal-‐ Name LDAP attribute to the Name ID outgoing claim type. The rest of the attributes shown are necessary to handle authorization as well.
- Click Finish.
- Relying Party Trust is configured and ready to be used.