Configuring ADFS To Establish Trust
About this task
Before being able to crawl a resource that uses Claims Based Authentication, you will need to configure a Relaying Party Trust for Watson™ Explorer Engine on the Active Directory Federation Server. If you are not familiar with the configuration of a Relying Party Trust in ADFS, consult your Microsoft resources for ADFS.
Once you have a Relaying Party Trust configured for Watson Explorer Engine, do the following on your Active Directory Federation Server:
In Attribute Store, select Active Directory, and then choose Mapping of LDAP attributes
to outgoing claims types. At a minimum, you should have something similar to the
LDAP Attribute: Email Address, SAM-Account-Name
Outgoing Claim Type: Email Address, Windows account name
Add any additional claim types used as permissions in your SharePoint
All claims used to control permissions in the SharePoint environment must be passed to Watson Explorer Engine. If some claims are not passed to Watson Explorer Engine, then search-time security will not function properly and some documents may be incorrectly hidden from search users.
Note Your ADFS Settings - After making all changes in ADFS, note your ADFS configuration
settings. You will need to refer to these settings later. In particular, it is best to note the
following settings, which you will need when configuring the Watson Explorer Engine
- Relaying party WS-Federation Passive protocol URL
- Relaying party realm or identifier
- Claim Types
- Certificate Thumbprint - The steps to determine your certificate thumbprint are covered in the subsection Recording the Thumbprint value.