# Sunday, December 23, 2012

Overview

Active Directory Federation Services (ADFS) is a service that provides a common interface for authentication. ADFS can automatically authenticate against Active Directory without the need for any code.

In this scenario, the web site is known as a Relying Party of ADFS because it relies on ADFS for authentication; Active Directory is known as a Claims Provider, because it the source of Claims – assertions about a user that it has authenticated; and ADFS is known as a Secure Token Service (STS), because it provides to the Relying Party a token contain identity information and claims about the authenticated user.

In order for a web site to use ADFS, you must perform some configuration in both ADFS and in IIS. 

IIS Configuration

Launch the IIS Manager on the computer on which you plan to host the web site. Right-click the web sites node and select New | Web Site. Provide a name, location, and other basic information to create the web site.

Right-click the newly-created web site and select Properties to appropriately adjust the web site properties.

On the ASP.NET tab, set the ASP.NET version to a value starting with “4.0”, as shown in Figure 1

IIS01-Prop_AspNet
Figure 1

At the “Directory Security” tab, click the [Server Certificate] button to associate an SSL certificate with this web site. During development, this can be a self-issued certificate; but, for Production, you will need to purchase a certificate from a Trusted Authority, such as VeriSign. The Directory Security tab is shown in Figure 2.

 IIS02-Prop_DirSecurity
Figure 2

Click the [Edit] button in the “Authentication and access control” section of the Directory Security tab. On the Secure Communications popup, check the “Require secure channel (SSL)” check box, as shown in Figure 3.

IIS03-Prop_DirSecurity_SecureComm
Figure 3

ADFS Configuration

Use the ADFS 2.0 Management Console to manage the Active Directory Federation service (ADFS), as shown in Figure 4

ADFS01-ADFS2MMC
Figure 4

Configure AD as a Claims Provider

In the ADFS 2.0 MMC Snap-In, expand the tree to select the AD FS 2.0\Trust Relationships\Claims Provider Trusts node. Active Directory should display under the Provider Trusts node. Select Active Directory to allow it to provide authentication and claims for relying parties

Configure Your App as a Relying Party

In the ADFS 2.0 MMC Snap-In, expand the tree to select the AD FS 2.0\Trust Relationships\Relying Party Trusts node. Right-click the Relying Party Trusts node and select “Add Relying Party Trust” from the context menu. The Add Relying Party Trust Wizard displays with the “Welcome” page active as shown in Figure 5. Click Next to advance to the next page.

ADFS02-RPTrust01
Figure 5

The “Select Data Source” page displays as shown in Figure 6. Select the “Enter data about the party manually” radio button and click [Next].
 
ADFS02-RPTrust02
Figure 6

The “Specify Display Name” page displays as shown in Figure 7. At the “Display name” textbox, enter a name to identify the relying party. This is the name you will see in the list of Relying Parties. Generally, the HOST name works here. Optionally, you can also enter some notes about this relying party. Click the [Next] button to advance to the next page of the wizard.

ADFS02-RPTrust03 
Figure 7

The “Choose Profile” page displays as shown in Figure 8. Select the “AD FS 2.0 profile” radio button and Click the [Next] button to advance to the next page of the wizard.
 
ADFS02-RPTrust04
Figure 8

The “Configure Certificate” page displays as shown in Figure 9. If you wish to encrypt the token returned to the relying party, you will need to add a certificate at this point. Click the [Browse] button to select a certificate. This certificate should be the same one used to secure the web site. Click the [Next] button to advance to the next page of the wizard.


ADFS02-RPTrust05
Figure 9

The “Configure URL” page displays as shown in Figure 10. Check the “Enable support for the WS-Federation Passive protocol” checkbox and enter the URL of the relying party web site. This tells ADFS to look for requests specifically from this URL. Click the [Next] button to advance to the next page of the wizard.

ADFS02-RPTrust06
Figure 10

The “Configure Identifiers” page displays as shown in Figure 11. Enter the relying party web site URL in the “Relying Party trust identifier” textbox and click the [Add] button to add it to the list below. Click the [Next] button to advance to the next page of the wizard.
 
ADFS02-RPTrust07
Figure 11

The “Issuance Authorization Rules” page displays, as shown in Figure 12. Select the “Permit all users to access this relying party” radio button. Click the [Next] button to advance to the next page of the wizard.
 
ADFS02-RPTrust08
Figure 12

The “Ready to Add Trust” page displays as shown in Figure 13. Review all information on this page and Click the [Next] button to advance to the next page of the wizard.
 
ADFS02-RPTrust09
Figure 13

The “Finish” page displays as shown in Figure 14. If you check the “Open the Edit Claims Rule dialog” checkbox, you can start adding Claim Rules as soon as you close the wizard; however, you can always go back later and add Claim Rules. Click the [Close] button to finish and close the wizard.
 
ADFS02-RPTrust10
Figure 14

Conclusion

In this article, we described the steps to perform in IIS and in ADFS to add Active Directory as a Claims Provider and your web application as a Relying Party

Sunday, December 23, 2012 9:45:00 PM (GMT Standard Time, UTC+00:00)
Comments are closed.