Active Directory Federation Services

ADFS – How-to federate with a customer

What is ADFS ?

It’s a web service that authenticates your users to Active Directory while also simultaneously providing them access to some claims-aware application (i.e. Office 365). Many times, these applications are typically used through the client’s web browser. The applications can be on-premises, off-premises, or even hosted by other companies. It doesn’t really matter where these applications live, who owns them, as long as they can accept a token with claims.

ADFS is an identity access solution that provides client computers (internal or external to your network) with SSO access to protected Internet-facing applications or services, even when the user accounts and applications are located in completely different networks or organizations.

When an application or service is in one network and a user account is in another network, typically the user is prompted for secondary credentials when he or she attempts to access the application or service. These secondary credentials represent the user’s identity in the realm where the application or service resides. They are usually required by the Web server that hosts the application or service so that it can make the most appropriate authorization decision.

With ADFS, organizations can bypass requests for secondary credentials by providing trust relationships (federation trusts) that these organizations can use to project a user’s digital identity and access rights to trusted partners. In this federated environment, each organization continues to manage its own identities, but each organization can also securely project and accept identities from other organizations.

ADFS terms that are not super friendly at first…;)

Account partner organization : A federation partner organization that is represented by a claims provider trust in the Federation Service. The account partner organization contains the users that will access Web-based applications in the resource partner.

Resource partner organization : A federation partner that is represented by a relying party trust in the Federation Service. The resource partner issues claims-based security tokens that contains published Web-based applications that users in the account partner can access.

Relying Party (RP) | Service Provider (SP): The organization that receives and processes claims.

Relying Party Trust : In the AD FS Management snap-in, relying party trusts are trust objects typically created in:

– Account partner organizations to represent the organization in the trust relationship whose accounts will be accessing resources in the resource partner organization.
– Resource partner organizations to represent the trust between the Federation Service and a single web-based application.

A relying party trust object consists of a variety of identifiers, names, and rules that identify this partner or web-application to the local Federation Service.

Claim ProviderIdentity Provider (IdP) :  The organization that provides claims to its users. See account partner organization.

Claims Provider Trust : In the AD FS Management snap-in, claims provider trusts are trust objects typically created in resource partner organizations to represent the organization in the trust relationship whose accounts will be accessing resources in the resource partner organization. A claims provider trust object consists of a variety of identifiers, names, and rules that identify this partner to the local Federation Service.

Prerequisite for the following scenario :

  • The customer must have an Internet-facing AD FS farm.
  • The SaaS provider deploys their own AD FS farm.
  • The customer and the SaaS provider must set up federation trust. This is a manual process.

For ADFS installation refer to :

ADFS 2016 Installation & Configuration

ADFS 2016 Web App Proxy Installation & Configuration

federation-trust.png

* The application uses OpenID connect as the authentication protocol. Another option is to use WS-Federation. OpenIDConnect is also only available with ADFS 2016.

 

SaaS provider  / Resource Partner = my company

Customer / Account Partner = external company

I own an application called App. I need the Active Directory users in the customer organization side to connect to my App using their own credentials accounts.

To complete this process, a trust has to be established on both side using claims that will be validated against the Active directory user account to authentificate the identity.

First, we need to create a claim provider trusts with a claim rules in my ADFS.

The claim rules can filter the UPN, email or even if the user account is part of a specific AD security groups. There is plenty of possibilities for the claims.

Once finalized, we provide our ADFS metadata .xml to the customer. They will create the relying party trust out of it. The .xml include the information of my certificate name of the Idp URL etc.

3 (1).png

Last part to be done on their side is to add a claim rules. In this case the UPN that will be tested againts their Active Directory user accounts.

 

 Configure the AD FS Resource Partner (My company)

  1. Add a claims provider trust.
  2. Add claims rules.
  3. Enable home-realm discovery.

Here are the steps in more detail.

Add the claims provider trust

  1. In Server Manager, click Tools, and then select AD FS Management.
  2. In the console tree, under AD FS, right click Claims Provider Trusts. Select Add Claims Provider Trust.
  3. Click Start to start the wizard.
  4. Select the option “Import data about the claims provider published online or on a local network”. Enter the URI of the customer’s federation metadata endpoint. (Example: https://contoso.com/FederationMetadata/2007-06/FederationMetadata.xml.) You will need to get this from the customer.
  5. Complete the wizard using the default options.

Edit claims rules

  1. Right-click the newly added claims provider trust, and select Edit Claims Rules.
  2. Click Add Rule.
  3. Select “Pass Through or Filter an Incoming Claim” and click NextAdd Transform Claim Rule Wizard
  4. Enter a name for the rule.
  5. Under “Incoming claim type”, select UPN.
  6. Select “Pass through all claim values”. Add Transform Claim Rule Wizard
  7. Click Finish.
  8. Repeat steps 2 – 7, and specify Anchor Claim Type for the incoming claim type.
  9. Click OK to complete the wizard.

Enable home-realm discovery

Run the following PowerShell script:

Set-ADFSClaimsProviderTrust -TargetName "name" -OrganizationalAccountSuffix @("suffix")

where “name” is the friendly name of the claims provider trust, and “suffix” is the UPN suffix for the customer’s AD (example, “corp.fabrikam.com”).

With this configuration, end users can type in their organizational account, and AD FS automatically selects the corresponding claims provider. See Customizing the AD FS Sign-in Pages, under the section “Configure Identity Provider to use certain email suffixes”.

 

Configure the AD FS Account Partner (Customer)

The customer must do the following:

  1. Add a relying party (RP) trust.
  2. Adds claims rules.

Add the RP trust

  1. In Server Manager, click Tools, and then select AD FS Management.
  2. In the console tree, under AD FS, right click Relying Party Trusts. Select Add Relying Party Trust.
  3. Select Claims Aware and click Start.
  4. On the Select Data Source page, select the option “Import data about the claims provider published online or on a local network”. Enter the URI of the SaaS provider’s federation metadata endpoint. Add Relying Party Trust Wizard
  5. On the Specify Display Name page, enter any name.
  6. On the Choose Access Control Policy page, choose a policy. You could permit everyone in the organization, or choose a specific security group. Add Relying Party Trust Wizard
  7. Enter any parameters required in the Policy box.
  8. Click Next to complete the wizard.

Add claims rules

  1. Right-click the newly added relying party trust, and select Edit Claim Issuance Policy.
  2. Click Add Rule.
  3. Select “Send LDAP Attributes as Claims” and click Next.
  4. Enter a name for the rule, such as “UPN”.
  5. Under Attribute store, select Active DirectoryAdd Transform Claim Rule Wizard
  6. In the Mapping of LDAP attributes section:
    • Under LDAP Attribute, select User-Principal-Name.
    • Under Outgoing Claim Type, select UPNAdd Transform Claim Rule Wizard
  7. Click Finish.
  8. Click Add Rule again.
  9. Select “Send Claims Using a Custom Rule” and click Next.
  10. Enter a name for the rule, such as “Anchor Claim Type”.
  11. Under Custom rule, enter the following:
    Copy
    EXISTS([Type == "http://schemas.microsoft.com/ws/2014/01/identity/claims/anchorclaimtype"])=>
    issue (Type = "http://schemas.microsoft.com/ws/2014/01/identity/claims/anchorclaimtype",
          Value = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn");
    

    This rule issues a claim of type anchorclaimtype. The claim tells the relying party to use UPN as the user’s immutable ID.

  12. Click Finish.
  13. Click OK to complete the wizard.

 

Authentication flow

  1. When the user clicks “sign in”, the application redirects to an OpenID Connect endpoint on the SaaS provider’s AD FS.
  2. The user enters his or her organizational user name (“alice@corp.contoso.com“). AD FS uses home realm discovery to redirect to the customer’s AD FS, where the user enters their credentials.
  3. The customer’s AD FS sends user claims to the SaaS provider’s AD FS, using WF-Federation (or SAML).
  4. Claims flow from AD FS to the app, using OpenID Connect. This requires a protocol transition from WS-Federation.

 

Source : https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/adfs

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts

 

Advertisements

0 comments on “ADFS – How-to federate with a customer

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: