202 Novell Access Manager 3.1 SP1 Identity Server Guidenovdocx (en) 19 February 20106 Verify that the user you are going to use for authentication has an E-mail address in the mailattribute.7 Continue with “Creating a Resource Partner” on page 202.Creating a Resource PartnerThe WS Federation protocol requires a two-way trust. The identity provider must be configured totrust the service provider, and the service provider must be configured to trust the identity provider.You have already set up the service provider to trust the identity provider (see “Create a WSFederation Identity Provider” on page 199). This section sets up the trust so that the identityprovider (the ADFS server) trusts the service provider (the Identity Server).1 In the Active Directory Federation Services console, access the Resource Partners page byclicking Federation Services > Trust Policy > Partner Organizations.2 Right-click the Partner Organizations, then click New > Resource Partner.3 Supply the following information in the wizard: You do not have a resource partner policy file to import. For the display name, specify the DNS name of the Identity Server. For the Federation Services URI, enter the following:https://:8443/nidp/wsfed/Replace with the name of your Identity Server.This is the base URL of your Identity Server with the addition of /wsfed/ at the end. For the Federation Services endpoint URL, specify the following:https://:8443/nidp/wsfed/spassertion_consumerReplace with the name of your Identity Server.This is the base URL of your IDP with the addition of /wsfed/spassertion_consumer at theend. Select Federated Web SSO.The Identity Server is outside of any Forest, so do not select Forest Trust. Select the E-mail claim. Select the Pass all E-mail suffixes through unchanged option.4 Enable this resource partner.5 Finish the wizard.6 To test the configuration, continue with Section 7.2.3, “Logging In,” on page 202.7.2.3 Logging In1 In a client browser, enter the base URL of your Identity Server.2 From the list of cards, select the Adatum contract.3 (Conditional) If you are not joined to the Adatum domain, enter a username and password inthe browser pop-up.Use a name and a password that are valid in the Adatum domain.If you are using the client that is joined to the Adatum domain, the card uses a Kerberos ticketto authenticate to the ADFS identity provider (resource partner).