Embedded Files
Pre req for Azure AD Connect
Minimum windows Server 2008
Options
Option 1 - Password hash Sync
Sync Directory to Azure
Manage Users in On Prem AD
Authenticate users at Azure AD
Option 2 - Pass through
Sync Directory to Azure
Manage Users in On Prem AD
Authenticate users at on Prem AD
Option 3 - Federated
No sync Directory to Azure
Manage users in On Prem AD
Authenticate Users at on Prem AD
ADFS uses 3 types of certificates
Service Communication
Token Decrypting
Token Signing
Federation setup
Federation setup
ADFS uses 3 types of certificates
Host machine : ActiveDirectory should have installed ActiveDirectoryCertificateServiceRole and get *.domain.com cert
this machine is a certificate Authority (ADCS)service installed .
Host : ADFS will request ssl certificate from ActiveDirectory
Install ADFS Service - Should be done on a Domain joined machine , install Server Roles : Active Directory Federation Service after Install Configure Federtaion Services as steps below
login as enterprise admin creds
select the cert received in previous step , fed service display name
select service account
to get All AD FS End point from the same machine powershell as admin Get-AdfsEndpoint or GetAdfsEndpoint | select FullUrl | clip to add contents of urls to clip board
powershell as admin : > Set-AdfsProperties -EnableIdpinitiatedSignonPage $true
verify powershell as admin : > Get-AdfsProperties
Tools / AD FS Controlpannel / Service/Authentication methods [Edit] remove windows Authentication
url for idp sigon : https://adfs.domain.com/adfs/ls/idpinitiatedsignon.aspx
End Points
End Points
Active Directory Federation Services
Browser based authentication - adfs/ls e.g https://adfs.domain.com/adfs/ls
Active client application - /trust/mex e.g https://adfs.domain.com/adfs/services/trust/mex
Federation metadata of ADFS e.g https://adfs.domain.com/FederationMetadata/2007-06/FederationMetadata.xml
Relying Party TRUST
Relying Party TRUST
Since ADFS is centralised service which can serve multiple applications , for every application to be setup there should be a relying party trust for that application for which ADFS is a claim provider
Configured on ADFS Server : Launch AD FS
Service/Relying party Trust - right pane --> Add relying party trust
configuring certificate : the AD FS will use the cert Provided by Application to encrypt the claims
incoming request having Relying party identifier should be same as its set up in relying party trust
Add Claim issuance policy
Protocols supported : WsFed, SAML, OAuth, OpenID Connect
ADFS Tool Claims X-RAY
ADFS Tool Claims X-RAY
got to : https://adfshelp.microsoft.com/ClaimsXray/TokenRequest
download Relying Party Trust Management script
run on ADFS Server it will create relayin party trust
Page updated
Google Sites
Report abuse