Active Directory Federation Service (ADFS)

-

What is ADFS?

In simpler words, Active Directory Federation Services (ADFS) is a Single Sign-On (SSO) solution. ADFS provides users with authenticated access to applications that are not capable of using Integrated Windows Authentication through Active Directory (AD).

To provide flexibility, ADFS gives organizations the ability to control their employees’ accounts while simplifying the user experience: employees only need to remember a single set of credentials to access multiple applications through SSO.

How does ADFS work?

ADFS manages authentication through a proxy service hosted between AD and the target application. It uses a Federated Trust, linking ADFS and the target application to grant access to users. This enables users to log onto the federated application through SSO without needing to authenticate their identity on application directly.

The authentication process follows below steps:

  1. The user navigates to a URL provided by the ADFS service.
  2. The ADFS service then authenticates the user via the organization’s AD service.
  3. Upon authenticating, the ADFS service then provides the user with an authentication claim.
  4. The user’s browser then forwards this claim to the target application, which either grants or denies access based on the Federated Trust service created.

 Setup ADFS

For this blog, I’ll use below server with specified role installed

 

Server

Server Name

Role

Active Directory server

advm01

Active Directory Domain Services

Active Directory Certificate Services

ADFS server

adfsvm01

Active Directory Federation Services

 

I’ll use “techcirrus.com” as domain for this article and self-signed certificate named “adfs.techcirrus.com

For Production environment, it is recommended to use wildcard certificate.


Above diagram helps to understand better about how the ADFS works.

1.     ADFS server will request the certificate from AD server

2.     Once request is granted, site will be redirected to adfs.



Let’s start with ADCS installation

1.  Install Active Directory Certificate Services role on AD server (as shown in below screenshot)

2. Request SSL Certificate from Internal Certificate Authority. This involves 2 sub steps as listed below,

    1. Create certificate from template on ‘Certificate Authority’ server
    2. Issue certificate created from template (for another server to use) on ‘Certificate Authority’ server
    3. Request certificate from ADFS server to ‘Certificate Authority’ server

ADCS role is installed. Next Step, is to configure ADCS


 































  

3.   . Certificate template is created. Now, let’s issue this from ‘Certificate Authority’ so other servers (like ADFS) can enroll it.





4.  . Certificate is issued now. Let’s go to ADFS server i.e., adfsvm01 and request this template to enroll.

 Please note, ADFS VM should be domain-join before proceeding with next steps.

 

5.    . Logon to ADFS server, go to ‘Certificate’ from RUN à MMC

6.   .  Expand Certificates (Local Computer) à Personal à Certificates

7.    . Right click Certificates à All Tasks à Request New Certificate



8.    Certificate Enrollment wizard will open. Proceed Next



9.  . Select the certificates and click ‘Enroll’ button.

10. Click Finish





11. Self-signed certificate is enrolled

12.  Let’s go to adfs server vm i.e., adfsvm01 to install ADFS role on it

13.  Open ‘Server Manager’ on adfsvm01, go to ‘Add Roles and Features’ and click ‘Next’


 

14.  Select ‘Active Directory Federation Services’ checkbox and click ‘Next’


15.  Click ‘Install’ button at ‘Confirmation’ page



16.  Once installation is complete, click on ‘Configure the federation service on this server’

17.  Select ‘Create the first federation server in a federation server farm’ and click ‘Next’

Please note, this is the first ADFS server in the domain that’s why I selected this option. If this is additional ADFS server in your environment, then select the option ‘Add a federation server to a federation server farm



18.  On the next page, connect to ADDS using domain admin credential


19.  Select the SSL certificate from the drop-down menu i.e., adfsvm01.techcirrus.com and add the ‘Federation Service Display Name’, click Next



20.  On ‘Specify Service Account’ page, you can either use ‘Group Managed service account’ or ‘domain user’ account. I’ve used domain user account.




21.  All prerequisites’ checks should pass successfully. Click ‘Configure’ button


22.  Hit ‘Close’ button upon completion


23.  Verify if ADFS console is accessible from Server Manager à ADFS Management




24.  To Configure IDPInitiatedSignon login page, open PowerShell with elevated permission

25.  Run the command Get-AdfsEndpoint | Select Fullurl as shown in screenshot and copy the highlighted line and paste it in a notepad

https://adfsvm01.techcirrus.com/adfs/ls/





26,  Add idpinitiatedsigon.aspx at the end of the line as shown in below screenshot:

 https://adfsvm01.techcirrus.com/adfs/ls/idpinitiatedsigon.aspx 

27.  Copy the link and paste it in browser which will bring the Home page as shown below


28.  Click on ‘Sign in’ button to check if you can sign into the page




This concludes ADFS setup using self-signed certificate. This has been another long post because of stepwise details and multiple screenshots but it’s totally worth the detail and time. I hope this would be useful to read and implement in your environment. Cheers!

 

Comments

Post a Comment

Popular posts from this blog

Disaster Recovery of a VM in Azure

-
Image
Background Back in June 2018, Microsoft announced the general availability of Disaster Recovery (DR) for Azure virtual machines using Azure Site Recovery. Azure is the first public cloud provider to offer native DR solution for application running on IaaS. Along with Availability Zone and availability sets, ‘ Azure Site Recovery’ provides resiliency for applications running on Azure VMs. This blog will cover the extensive points on disaster recovery setup process for virtual machine hosted in Azure. I’ve divided this article into several sub-sections for disaster recovery: Prerequisites Create Recovery Services Vault Enable Replication Test Failover Failover, Commit & Re-Protect Prerequisites: A zure subscription with permission to create ‘ Recovery Services Vault’ and VMs in target region along with virtual network, storage account etc. Supported VM operating systems like Windows or Linux. Supported Azure regions for disaster recovery (DR) Outbound network ...
Read more

Deploy Azure Database for PostgreSQL using ARM template

-
Image
Azure Database for PostgreSQL is a relational database service based on the open-source Postgres database engine. It's a fully managed service provided by Microsoft Azure. It offers mission-critical workloads with predictable performance, security, high availability and dynamic scalability.       It's available in two deployment options Single Server (supports vertical scale on demand) Hyperscale   server (supports horizontal scale across machine using sharding)  For this blog, we'll explore " Single Server " deployment only. We'll also be looking into few integrations along with the deployment of Azure Database for PostgreSQL. These integration will include: Virtual Network integration for existing virtual network Diagnostics logs integration (generated logs to send across storage account and log analytics workspace and stream to event hub) Azure Active Directory User/group integration Key vault integration to store administrator password Pre-requisites ...
Read more

Workload Protection with Microsoft Defender for Cloud

-
Image
‘ Microsoft Defender for Cloud’ (previously known as Azure Security Center and Azure Defender) is a tool that strengthen your Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) . It protects your workload running in Azure, hybrid, or any other cloud platforms. In this blogpost, we will mainly focus on Cloud Workload Protection (CWP), which are typically agent-based workload-centric security protection solutions along with below topics. 1.                           Enable ‘ Microsoft Defender for Cloud ’ on your subscriptions 2.                           Enable Enhanced security features 3.                           Workload Protection a.       Dashboard coverage b. ...
Read more