188 Novell Access Manager 3.1 SP1 Identity Server Guidenovdocx (en) 19 February 2010The following section describe how to configure your servers for this scenario: Section 7.1.1, “Configuring the Identity Server,” on page 188 Section 7.1.2, “Configuring the ADFS Server,” on page 193 Section 7.1.3, “Logging In,” on page 195 Section 7.1.4, “Troubleshooting,” on page 1967.1.1 Configuring the Identity Server “Prerequisites” on page 188 “Creating a New Authentication Contract” on page 188 “Setting the WS-Fed Contract to Be the Default Contract” on page 189 “Enabling the STS and WS Federation Protocols” on page 189 “Creating an Attribute Set for WS Federation” on page 190 “Enabling the Attribute Set” on page 190 “Creating a WS Federation Service Provider” on page 190 “Configuring the Name Identifier Format” on page 192 “Setting Up Roles for ClaimApp and TokenApp Claims” on page 192 “Importing the ADFS Signing Certificate into the NIDP-Truststore” on page 192Prerequisites You have set up the Active Directory Federation Services, Active Directory, and SharePointservers and the XP client as described in the ADFS guide from Microsoft. See Step-by-StepGuide for Active Directory Federation Services (http://go.microsoft.com/fwlink/?linkid=49531). You have set up the Novell Access Manager 3.1 system with a site configuration that is usingSSL in the Identity Server's base URL. See “Enabling SSL Communication” in the NovellAccess Manager 3.1 SP1 Setup Guide.Creating a New Authentication ContractThe Microsoft ADFS server rejects the contract URI names of the default Access Managercontracts, which have a URI format of secure/name/password/uri. The ADFS server expects the URIto look like a URL.We suggest that you use the following format for the URI of all contracts that you want to use withthe ADFS server:/name/password/uriIf the DNS name of your Identity Server is idp-50.amlab.net, the URI would have the followingformat:https://idp-50.amlab.net:8443/nidp/name/password/uriThis URL doesn't resolve to anything; it really doesn't need to because the Identity Server interpretsit as a contract URI and not a URL.