What is ADFS relying party trust

In this blog we will learn what is ADFS relying party trust, how to create a relying party trust in ADFS server, we will talk about ADFS claim rules, and we will learn how to create ADFS claims rules.

Watch video

Join us on YouTube and watch a deep dive video on ADFS relying party trust and how to create ADFS claim rules.

What is ADFS Relying Party Trust

If we go by definition, Relying Party Trust is a term that is used to identify which applications are authorized to communicate with ADFS server. Let’s consider one example and let’s understand what does it mean.

Let’s say a user is trying to access an application that is integrated with ADFS server.

user trying to access ADFS application

This application will reach to an endpoint of this ADFS server to get the token.

application reaching to ADFS for token

ADFS will construct a token, it will add claims in it, and will send this token to the application. This is what usually happens when a user tries to access a federated application.

adfs server sends token to the application

But the question is, how ADFS server will identity that the request that is coming from this application is a valid request or not? How ADFS Server will identity whether this request should be entertained or not or how ADFS server will know that I have to issue a security token to this particular application?

So there has to be something, so that ADFS server can trust this application. There has to be a trust between ADFS and Application so that ADFS can accept the request from the application and it can issue a token to that application. And this trust is called Relying Party Trust.

Important: When you integrate an application with ADFS server, it creates a relying party trust for that application in your ADFS server. With the help of relying party trust, ADFS server will identity that the request that is coming from an application is a valid request. And I have to issue a security token to this application.

Important: A relying party trust contains the information about the application name, protocol name that this application will support, and what sort of claims this application needs within the security token.

Without a relying party trust, an application cannot communicate with ADFS server. So Relying Party Trust is a communication channel between ADFS server and the application. And the organization that hosts this application, is called Relying Party.

adfs relying party trust

Create a Relying Party Trust in ADFS Server

You can create relying party trust using ADFS Management console and using PowerShell commands as well.

To create relying party trust from ADFS Management console, go to ADFS server, open ADFS Management console. On ADFS Management console, click Relying Party Trusts and click Add Relying Trust.

create relying party trust

On Add Relying Party Trust Wizard, select Claims aware and click Start.

claims aware application

On Select Data Source page, you need to add information of the application for which you are going to create relying party trust. There are 3 options to add this information. You can add this information from an online link, you can import metadata file, or you can type required information manually.

select data source for relying party trust

For this demo I will enter required information manually, so I will select Enter data about the relying party manually and click Next.

enter data source manually

On Specify Display Name page, type display name for relying party trust and click Next.

specify display name for relying party trust

On Configure Certificate page, select Browse and select optional token-signing certificate to encrypt tokens that ADFS server will send to the relying parties. Click Next.

configure certificate for relying party trust

On Configure URL page, you can select either WS-Federation Passive protocol or SAML 2.0 WebSSO protocol depending on the protocol supported by the application. And you need to type the URL of the application as shown below. Once done, click Next.

configure URL for relying party trust

On the Configure Identifiers page, specify one or more identifiers for this relying party, click Add to add them to the list, and then click Next.

configure identifiers

On the Choose Access Control Policy select a policy and click Next.

choose access control policy

On Ready to add Trust page, click Next and click Close to close the wizard.

On Relying Party Trusts section you will see a trust has been created for the application.

new relying party trust

ADFS Claim Rules and Claim Issuance Policy

What is Claim Issuance Policy in ADFS

Claim issuance policy is a set of rules that decide, which claim ADFS server will send to the application within the security token. let’s consider a small example to under Claim Issuance Policy in ADFS.

When we create a user account in Active Directory, few attributes are created automatically for that account. For example, Name, Phone Number, Department, or Email Address. In Active Directory, these are called attributes and In ADFS these attributes are called claims.

Now let’s assume, this user wants to access an application.

This image has an empty alt attribute; its file name is what-is-caim-issuance-policy-in-ADFS.png

This application will reach to an endpoint of the ADFS server and will ask for a security token along with the Email Address attribute of the user. ADFS will contact Active Directory to get the authentication done for this user, and it will ask Active Directory to issue Email Address attribute of this user. Once authentication is done, Active Directory will return the claim to the ADFS server. Then ADFS server will construct a token it will add the claim within the token, and will send this token to the application.

Now, the rule that decides, what attribute ADFS will ask Active Directory to issue, and what attribute or claim ADFS will send to the application, is decided by Claim Issuance Policy.

Important: If you create a relying party trust manually, you need to create a claim issuance policy. But if you have Federation Metadata of the application, claim issuance policy will be configured automatically. Federation Metadata is an xml file that contains the information of an application that is required to create Relying Party Trust. It contains the name of the protocol that application will support, it contains the information about the claims that this application will require, and the application identifier where the token will be sent.

How to create ADFS Claim Rules

To create Claim Rules, go to ADFS Management console, click Relying Party Trusts, select relying party trust for which you want to create claim rules, and click Edit Claim Issuance Policy.

On Edit Claim Issuance Policy wizard, click Add Rule.

edit claim issuace policy

On Select Rule Template page, make sure Send LDAP Attributes as Claims is select under Claim rule template and click Next.

select rule template

On Configure Rule page, type a name for claim rule, under Attribute store select Active Directory, and under Mapping of LDAP attributes to outgoing claim types, select E-Mail-Addresses for LDAP Attribute and select E-Mail-Address for Outgoing Claim Type.

configure rule

Click Finish and click OK.

Conclusion

In this blog we learnt what is ADFS relying party trust, we learnt how to create a relying party trust in ADFS, we talked about ADFS claim rules, we talked about claim issuance policy in ADFS, and we learnt how to create claim rules for a relying party trust.

Found this blog help and informative, please share it within your community, join us on YouTube and join our Newsletter for early access of blogs and updates.

We welcome you to browse our other articles on ADFS (Active Directory Federation Services):
What is ADFS
What is federation trust in ADFS
ADFS deployment types
How to install ADFS on Windows Server 2016
ADFS claims based architecture
Set up ADFS for Microsoft 365 for Single Sign-On
ADFS endpoints explained

Happy Learning!!