Before starting working on Active Directory Federation Services (ADFS), let us see how to install and then configure it on your system and then get ready to work on it with OpKey.
Installing ADFS o Windows Server 2012 R2
ADFS is a well known service for providing Single-Sign-On (SSO) facilities to multiple web application using a single Active Directory account.
Follow below given steps to install ADFS on Windows Server machine:
- Open Server Manager and click on Add Roles and Features under Manage menu.
- Click Next.
- Select Role-based or feature-based installation and then click Next.
- Select the server you want to install this role then click Next.
Note: Web Application Proxy role and ADFS cannot be installed on the same computer.
- Select Select a server from the server pool and then click Next.
- You can select other required features from here. Select Active Directory Federation Services and click Next.
- Click Next.
- Click Next.
- The ADFS role does not required a reboot.
- Click Install to proceed the ADFS installation process.
- Once the ADFS installation has finished, click Close.
Configuring ADFS on Windows Server 2012 R2
Follow below given steps to configure the ADFS
- Navigate to the Server Manager under Notifications button. Click the message Configure the federation service on this server.
- Post-deployment Configuration popup message appears.
- As we have to create the new federation server (as our first ADFS server), select the first option then click Next.
- Make sure that the account you are logged into has Active Directory Domain Admin permissions. If not then click Change.
- Click Next to continue.
- SSL Certificate: On the drop down menu you will see the certificates installed on the server. You can use the default self signed or use one you create. Ensure you have it in .PFX format.
- Federation Service Name: Give your AD FS a FQDN name.
- Federation Service Display Name: Enter a display name.
- Click Next to proceed.
Note: If you are installing ADFS on a Domain Controller or want to use a different FQDN for ADFS than the server you will need to ensure the name you enter has a DNS Record created.
- Since this is my home lab I am putting ADFS on my Domain Controller and needed to create a DNS entry.
Note: If you imported a certificate, you can see it is added to your Personal Certificates.
- On the Specify Service Account tab you may get the following message.
- If you want the Wizard to create a Service Account for you then proceed to the PowerShell window below. If you want to create a Service Account manually you can add it by selecting the second option.
- Get-Help Add-KdsRootKey – Read about the command
- Add-KdsRootKey -EffectiveImmediately – Generate root key
- Enter the Service Account you want to use and click Next:
Note: Ensure this user account is added to the local administrators group of your ADFS server. It is required to setup Microsoft Web Application Proxy.
- You have the option of using a Windows Internal Database (WID) or SQL Server. If you have a small environment/lab then use WID. If you have a large environment use a SQL database.
- Click Next.
Note: WID is a limited version of SQL Express that doesn’t have a GUI or management interface. The WID database is a file (SUSDB.dbf) stored in C:\Windows\wid\data\
- Click Next.
- If everything is check out, click Configure.
- Once complete click Close.
- ADFS is now installed and is ready for testing!
Let us see if ADFS is working properly.
- Open a web browser and go to the ADFS URL below and click Sign In.
- You should get a login box, enter your domain credentials, once logged in you should show the below screen:
- You are now ready to use ADFS in your environment!
Adding a Relying Party Trust
(1) Open Server Manager > Navigate to the Tools menu > click on it and select ADFS Management option from dropdown.
(2) Click on Add Relying Party Trust under Trust Relationships of AD FS in ADFS management sidebar.
(3) Add Relying Party Trust Wizard opens. In the Welcome screen, click Start to continue.
(4) Click Start to continue.
(5) Select the Enter data about the relying party manually option in the Select Data Source screen.
(6) Click Next to continue.
(7) Specify Display Name screen appears. Enter a Display Name to recognize the trust, such as Test Environment, and add any notes you want to make.
(8) Click Next to continue.
(9) Select the AD FS profile option in the Choose Profile screen.
(10) Click Next to continue.
(11) Leave the certificate settings at their default values in the Configure Certificate screen.
(12) Click Next to continue.
(13) Select the option Enable Support for the SAML 2.0 WebSSO protocol and enter the SAML 2.0 SSO service URL in the Configure URL screen. (Format should be – https://<your-mattermost-url>/login/sso/saml where https://<your-mattermost-url>)
(14) Click Next to continue.
(15) Enter the Relying party trust identifier (also known as the Identity Provider Issuer URL) in the Configure Identifiers screen. (Format should be – https://<your-idp-url>/adfs/services/trust).
(16) Click Add to add the entered Relying party trust identifier in the list.
(17) From here at Configure Multi-factor Authentication Now screen, you can enable multi-factor authentication.
(18) Click Next to continue.
(19) Select the option Permit all users to access this relying party in the Choose Issuance Authorization Rules screen.
(20) Click Next to continue.
(21) You can review your settings in the Ready to Add Trust screen.
(22) Click Next to continue.
(23) From this Finish screen, select the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes option, and .
(24) Click Close.
Create Claim Rules
(4) Enter a Claim Rule Name of your choice, select Active Directory as the Attribute Store in the Configure Claim Rule window.
(5) Fill the required fields in Mapping of LDAP attributes to outgoing claim types as mentioned below:
- From the LDAP Attribute column, select E-Mail-Addresses. From the Outgoing Claim Type, type Email.
- From the LDAP Attribute column, select Given-Name. From the Outgoing Claim Type, type FirstName.
- From the LDAP Attribute column, select Surname. From the Outgoing Claim Type, type LastName.
- From the LDAP Attribute column, select SAM-Account-Name. From the Outgoing Claim Type, type Username.
The FirstName and LastName attributes are optional.
Note: The entries in the Outgoing Claim Type column can be chosen to be something else. They can contain dashes but no spaces.
(6) Click Finish to add the rule.
(10) In the Choose Rule Type screen, select Transform an Incoming Claim from the drop-down menu.
- Select Name ID for the Incoming claim type
- Select Unspecified for the Incoming name ID format
- Select E-Mail Address for the Outgoing claim type