Relying Party Trust

Guide to ADFS Federation (Metadata Import Edition) | Lazy Admin Blog

Posted on Updated on

How to set up a Relying Party Trust in 5 minutes using XML metadata.

Setting up a manual federation trust is a recipe for typos. If a 3rd party sends you a URL or an XML file, use it. Importing metadata ensures that certificates, identifiers, and endpoints are configured perfectly without you having to manually paste long strings of thumbprints.

1. The Pre-Reqs (Don’t start without these!)

Before you open the ADFS console, make sure you have:

  • The Metadata: Either a file or a URL (e.g., https://adfs.xyz.com/federationmetadata/2007-06/federationmetadata.xml).
  • The Claim Mapping: Exactly which LDAP attribute they need (e.g., Employee-ID) and what it should be called on their end (e.g., Name ID).
  • Contact Info: Name, email, and phone for their admin. Put this in the Notes field so the next admin isn’t hunting for it during a certificate expiry.

2. Step-by-Step: Adding the Trust

  1. Open ADFS Management and go to Trust Relationships > Relying Party Trusts.
  2. Right-click and select Add Relying Party Trust.
  3. Select Data Source: Choose “Import data about the relying party from a file” and point it to their federationmetadata.xml.
  4. MFA: Select “I do not want to configure multi-factor authentication” (unless required by your security policy).
  5. Authorization: Select “Permit all users to access this relying party.”
  6. Finish: On the final screen, open the Notes tab and paste the 3rd party contact details.

3. Configuring the Claim Rules

This is the “handshake” where you translate your AD data into something they can read.

  1. Right-click your new trust and select Edit Claim Rules.
  2. Click Add Rule and choose “Send LDAP Attributes as Claims.”
  3. Claim Rule Name: “Send EmployeeID as NameID” (Be descriptive!).
  4. Attribute Store: Active Directory.
  5. Mapping:
    • LDAP Attribute: Employee-ID
    • Outgoing Claim Type: Name ID

4. The “Lazy” Testing Method

Don’t wait for them to tell you it’s broken. Test it yourself:

  1. Go to your ADFS sign-on page: https://your-adfs-url.com/adfs/ls/idpinitiatedsignon.htm.
  2. Select the new trust from the list and sign in.
  3. The Proof: Take a screenshot of the successful login page and send it to the 3rd party. If you can see the trust, you’ve done your part.

This entry was posted in Active Directory and tagged , , , , , , , , , .