Configuring ADFS To Establish Trust

About this task

Before being able to crawl a resource that uses SAML claims based authentication, you will need to configure a Relaying Party Trust for Watson™ Explorer Engine on the Active Directory Federation Server. If you are not familiar with the configuration of a Relaying Party Trust in ADFS, consult your Microsoft resources for ADFS.

Once you have a Relaying Party Trust configured for Watson Explorer Engine, do the following on your Active Directory Federation Server:

Procedure

  1. In Attribute Store, select Active Directory, and then choose Mapping of LDAP attributes to outgoing claims types. At a minimum, you should have something similar to the following:

    LDAP Attribute: Email Address, SAM-Account-Name

    Outgoing Claim Type: Email Address, Windows account name

  2. Add any additional claim types used as permissions in your SharePoint environment.
    Important:

    All claims used to control permissions in the SharePoint environment must be passed to Watson Explorer Engine. If some claims are not passed to Watson Explorer Engine, then search-time security will not function properly and some documents may be incorrectly hidden from search users.

  3. Note Your ADFS Settings - After making all changes in ADFS,, note your ADFS configuration settings. You will need to refer to these settings later. In particular, it is best to note the following settings, which you will need when configuring the Watson Explorer Engine Server:
    • Relaying party WS-Federation Passive protocol URL
    • Relaying party realm or identifier
    • Claim Types
    • Certificate Thumbprint - The steps to determine your certificate thumbprint are covered in Instructions for Recording the Thumbprint Value.