WS Federation requires the two-way trust. The identity provider must be configured to trust the service provider, and the service provider must be configured to trust the identity provider. You have already set up the service provider to trust the identity provider (see Creating a WS Federation Identity Provider). This section sets up the trust so that the identity provider (the ADFS server) trusts the service provider (Identity Server).
In the Active Directory Federation Services console, access the Resource Partners page by clicking Federation Services > Trust Policy > Partner Organizations.
Right-click the Partner Organizations, then click New > Resource Partner.
Supply the following information in the wizard:
You do not have a resource partner policy file to import.
For the display name, specify the DNS name of Identity Server.
For the Federation Services URI, enter the following:
https://<DNS_Name>:8443/nidp/wsfed/
Replace <DNS_Name> with the name of your Identity Server.
This is the base URL of your Identity Server with the addition of /wsfed/ at the end.
For the Federation Services endpoint URL, specify the following:
https://<DNS_Name>:8443/nidp/wsfed/spassertion_consumer
Replace <DNS_Name> with the name of your Identity Server.
This is the base URL of your Identity Server with the addition of /wsfed/spassertion_consumer at the end.
Select Federated Web SSO.
Identity Server is outside of any forest, so do not select Forest Trust.
Select the E-mail claim.
Select the Pass all E-mail suffixes through unchanged option.
Enable this resource partner.
Finish the wizard.
To test the configuration, continue with Logging In.