WS Federation requires a two-way trust relationship. Both identity provider and service provider must be configured to trust each other.
In the Active Directory Federation Services console, click Federation Services >Trust Policy > Partner Organizations.
Right-click Partner Organizations and select New > Account Partner.
Specify the following information in the wizard:
You do not have an account partner policy file.
For the display name, specify the DNS name of Identity Server.
For the Federation Services URI, specify https://<DNS_Name>:8443/nidp/wsfed/.
Replace <DNS_Name> with the DNS name of Identity Server. This URI is the base URL of your Identity Server with the addition of /wsfed/ on the end.
For the Federation Services endpoint URL, specify https://<DNS_Name>:8443/nidp/wsfed/ep.
Replace <DNS_Name> with the DNS name of Identity Server.
This is the base URL of your Identify Server with the addition of /wsfed/ep at the end.
For the verification certificate, import the trusted root of the signing certificate on your Identity Server.
If you have not changed it, you need the Organizational CA certificate from your Administration Console. This is the trusted root for the test-signing certificate.
Select Federated Web SSO.
Identity Server is outside of any forest, so do not select Forest Trust.
Select the Email claim.
Add the suffix that you will be using for your e-mail address.
You need to have the email end in a suffix that the ADFS server is expecting, such as @novell.com, which grants access to any user with that email suffix.
Enable this account partner.
Finish the wizard.
Continue with Enabling ClaimApp and TokenApp Claims.