Written by Madan Mohan K, Sr. Cloud Engineer| Contributor; Karthik T, Principal Cloud Architect, Powerupcloud Technologies
“Illusion appeals creativity Authentication validates Reality”-Active Directory Federation Service.
Our Prime client has their AD and ADFS on-premise. The client needed to federate their Web Application and get the User attributes without opting for a SAML provider.
With SAML provider the configuration would have been so eased. But without a SAML provider how we have cracked this is what we are going to have in this blog.
Active Directory Federations Services (ADFS) is an enterprise-level identity and access management service provided by Microsoft. ADFS runs as a separate service and hence any application that supports WF-Federation and Security Assertion Markup Language (SAML), can leverage this federation authentication service.
In this article, we are going to use Active Directory and ADFS configured in Azure VM. The configuration for AD an ADFS in Azure VM will be explained in the consecutive blogs.
This article has inclusively used some of the Azure services to setup the on-premise set of the client to demonstrated how action happen in live. Services opted-in Azure are as follows
- Azure Virtual Network (VNET) configuration
- Azure Virtual Machine (VM) provisioning
- Active Directory configuration on Azure VM
- Active Directory Federation Services (ADFS) configuration in Azure VM
This article aims at explaining the configuration of AD and ADFS on Azure VM. This typically involves the following steps to be carried out from the Azure Management Portal
- Set up Azure Virtual Network
- Provision Azure VM
Once the VM provisioning is done, the following Services needs to be configured inside the Azure VM
- Active Directory Domain Services
- Active Directory Federation Services
1. Windows Server 2012 R2 Datacenter
2. ADFS 3.0
4. Microsoft Azure subscription.
5. Self-Signed SSL Certificates
Configuring AD, ADFS and SSL
As we have multiple blogs on the Internet to configure Active Directory we will focus on ADFS and SSL configuration but will be brief what we have done in AD.
- Configured Active Directory Domain Services
- Promoted it to a domain controller
- The domain used is cloud.Powerupcloud.com
Configure SSL certificate
Active Directory Federation Service (ADFS) uses HTTPs protocol. Certificates provisioned from Certificate authority helps us in getting this work on HTTPs. We opted to use a self-signed certificate to serve the certificates needed. To create a self-signed certificate, we have 2 options.
- Download and copy the PowerShell file in Scripts Folder https://gallery.technet.microsoft.com/scriptcenter/Self-signed-certificate-5920a7c6#content
- Navigate to scripts folder from PowerShell and execute the following commands.
PS C:\Scripts> . \New-SelfSignedCertificateEx.ps1
PS C:\Scripts> New-SelfSignedCertificateEx -Subject “CN=powerup.southindia.cloud.azure.com” -EKU “Server Authentication” -KeyUsage 0xa0 -StoreLocation “LocalMachine” -ProviderName “Microsoft Strong Cryptographic Provider” -Exportable
In this section, ADFS configuration is explained
To begin, open Server Manager and click on “Add Roles and Features”. In server roles window, select the option “Active Directory Federation Services”. Click Next to continue.
On the Feature, section select nothing and click Next.
On the ADFS section select nothing and click Next.
In the Confirmation page click on Next.
On the success of Installation, you will be prompted to Configure the Federation service on the server.
Click on Configure the Federation service on the server.
Check to Create the first federation server in the federation server farm.
Select the privileged account for the setup to get executed.
Import the SSL certificate which is generated earlier and enter the Federation service display name.
Use the privileged account for the Service Account.
Check the create a database on this server using Windows Internal Database.
Select nothing on Review option and Click Next
The display status of successful validation in the Pre-requisites section.
ADFS configured successfully.
Once ADFS is configured we need to configure the Relying Party Trusts.
In the Relying Party Trust Tab Right click and Add a new Relying Party Trust
Check the Enter data about the relying party manually
Pass on the Display name as required
ADFS profile needs to be checked.
Click Next on the Configure Certificate section.
Check the Enable support for the SAML 2.0 WebSSO protocol and pass the https://https://powerupcloud.southindia.cloudapp.azure.com URL.
In the trust identifier pass the https://powerupcloud.southindia.cloudapp.azure.com URL.
Check on I do not want to configure multi-factor authentication settings for this relying party trust currently.
Allow all the users to access this relying party.
Click on Next in the Ready to Add Trust section.
Click on Finish.
In the add Transform Claim select the Send LDAP Attributes as Claims.
Pass on the Claim rule name and select the Active Directory Attribute storeand define the Claim Attributes as in the below screenshot.
Adjusting the trust settings
You still need to adjust a few settings on your relying party trust. To access these settings, select Properties from the Actions sidebar
- In the Endpoints tab, click on add SAML to add a new endpoint.
- For the Endpoint type, select SAML Logout.
- For the Binding, choose POST.
- For the Trusted URL, create a URL using:
- The web address of your AD FS server
- The AD FS SAML endpoint you noted earlier
- The string? wa=wsignout1.0
- The URL should look something like this:
- Confirm your changes by clicking OK on the endpoint.
There you go the application is up and gets redirected while authentication is provided.