Saturday, October 17, 2015

ADFS Setup.

Software requirements
  • AD FS relies on server functionality that is built into the Windows Server® 2012 operating system.
  • The Federation Service and Federation Service Proxy role services cannot coexist on the same computer.
Setup Roles and Features
  • Go to Local Server tab, scroll down to the ROLES AND FEATURES section, then click TASKS->Add Roles and Features.
  • In Add Roles and Features Wizard, click Next to continue.
  • On next screen, keep Role-based or feature-based installation checked, click Next to continue.
  • On Server selection screen, accept default settings and click Next.
  • On Server Roles screen, check Active Directory Domain Service. This will pop up a dialog prompting to enable required features. Click Add Features to continue.
  • Check Active Directory Federation Services. Again, click Add Features in the pop-up to add required features.
  • Click Next all the way till the end of the wizard workflow, accepting all default settings.
  • Click Install to continue. Once installation completes, click Close to close the wizard.
Configure AD and Domain controller
Now you’ll see a warning icon reminding you some additional configurations are needed
  • Click on the icon and click on the second item, which is Promote this server to a domain controller.
  • In Active Directory Domain Services Configuration Wizard, select Add a new forest, enter “your domain name” as Root domain name, and then click Next to continue.
  • On next screen, provide a DSRM password. Uncheck Domain Name System (DNS) server as we don’t need this capability in our scenario (this is an all-in-one forest anyway). Click Next to continue.
  • Keep clicking Next till Install button is enabled. Then click Install.
  • The machine reboots.
  • Create Some Test Accounts
  • Before we move forward, let’s create a couple of user groups and a couple of test accounts.
  • Launch Active Directory Users and Computers (Window + Q, then search for “users”).
  • Right-click on Users node, then select New->Group:
  • In New Object window, enter Manager as group name, and change Group scope to Domain local:
  • Follow the same step, create a Staff group. Right-click on Users node, then select New->User to create a new user:
  • Set up a password for the user, then finish the wizard. On a test environment, you can disallow password change and make the the password never expire to simplify password management:
  • Double-click on the user name, and add the user to Manager group:
  • Create another user, and add the user to Staff group.
Configure SSL Certificate
  • Launch Internet Information Services Manager (Window + Q, then search for “iis”).
  • Select the server node, and then double-click Server Certificates icon in the center pane.
  • In the right pane, click on Create Self-Signed Certificate… link. Give a friendly name to the cert, for example haishidc2.cloudapp.net. Click OK. If you open the cert, you can see the cert is issued to [your virtual machine name].cloudapp.net. This is the reason why we used cloudapp.net domain name.

Configure ADFS Server
  • Go back to Server Manager. Click on the warning icon and select Run the AD FS Management snap-in.
  • Click on AD FS Federation Server Configuration Wizard link in the center pane.
  • In AD FS Federation Server Configuration Wizard, leave Create a new Federation Service checked, click Next to continue.
  • On next screen, keep New federation server farm checked, click Next to continue.
  • On next screen, You’ll see our self-issued certificate is automatically chosen. Click Next to continue.
  • On next screen, setup Administrator as the service account. Click Next. Click Next to complete the wizard.
Configure Trust Relationship with ACS – ADFS Configuration
  • Configure ADFS as a trusted Identity Provider of your ACS namespace. The trust relationship is mutual, which means it needs to be configured on both ADFS side and ACS side. From ADFS side, we’ll configure ACS as a trusted relying party. And from ACS side, we’ll configure ADFS as a trusted identity provider. Let’s start with ADFS configuration.
  • Back in AD FS Management snap-in, click on Required: Add a trusted relying party in the center pane.
  • In Add Relying Party Trust Wizard, click Start to continue.
  • Paste in the ACS ws-Federation metadata URL you got from your ACS namespace , and click Next to continue
  • Keep clicking Next, then finally Close to complete the wizard.
  • This brings up the claim rules window. Close it for now.
  • Back in the main window, click on Trust Relationships->Claims Provider Trust node. You’ll see Active Directory listed in the center pane. Right-click and select Edit Claim Rules…
  • In the Edit Claim Rules for Active Directory dialog, click Add Rule… button.
  • Select Send Group Membership as a Claim template. Click Next.
  • On next screen, set the rule name as Role claim. Pick the Manager group using the Browse… button. Pick Role as output claim type. And set claim value to be Manager. Then click Finish. What we are doing here is to generate a Role claim with value Manager for all users in the Manager group in our AD.
  • Add another rule, and this time select Send LDAP Attribute as Claims template.
  • Set rule name as Name claim. Pick Active Directory as attribute store, and set up the rule to map Given-Name attribute to Name claim
  • Back in the main window, click on Trust Relationships->Relying Party Trusts node. You’ll see your ACS namespace listed in the center pane. Right-click on it and select Edit Claim Rules…
  • Add a new rule using Pass Through or Filter an Incoming Claim template.
  • Pass through all Role claims
  • Similarly, add another pass-through rule for Name claim.
  • Now our ADFS server is configured to trust our ACS namespace, and it will issue a Name claim and a Role claim for authenticated users.

References: