The AD FS metadata is used to add an Identity Provider to Access Manager.
Getting the AD FS 2.0 Metadata
Access the AD FS server metadata by accessing https://<<ADFS hostname or IP/FederationMetadata/2007-06/FederationMetadata.xml.
Save the AD FS metadata data.
Open the AD FS metadata file in a text editor (Notepad, WordPad, or an XML editor).
Remove the <RoleDescriptor> tags from the metadata.
For example, remove the following tags:
"<RoleDescriptor xsi:type="fed:ApplicationServiceType"
protocolSupportEnumeration=http://..................... ……> ……….</RoleDescriptor> "<RoleDescriptor xsi:type="fed:SecurityTokenServiceType"
protocolSupportEnumeration=http://..... ………> </RoleDescriptor>Save the changes.
Using the Metadata to Add a New Identity Provider Connection
Click Devices > Identity Server > Edit > SAML 2.0.
Click New > Identity Provider.
Specify the name as ADFS in Name.
Select Metadata Text from Source.
Specify the ADFS metadata that you copied in Step 5 in Text.
Click Next.
Specify an alphanumeric value that identifies the card in ID.
Specify the image to be displayed on the card in Image.
Update Identity Server.
Adding the AD FS Server Trusted Certificate
Retrieve the AD FS server's CA trusted root certificate.
Select Security > Certificates.
Select Trusted Roots.
Click Import.
Specify the certificate name, and browse for the AD FS certificate authority.
Click OK.
Click uploaded AD FS CA.
Click Add to Trusted Store and select config store.
Update Identity Server.
Configuring the Identity Provider in Access Manager
Select the AD FS Identity Provider in the SAML 2.0 tab.
Click Authentication Card > Authentication Request.
Select Response Protocol Binding to POST.
Select NAME Identifier Format as Transient.
Click OK.
Update Identity Server.