SharePoint 2013 and ADFS

SharePoint 2013 and ADFS

MAXIM ZHVIRBLYA

EPAM SYSTEMS © 2014

Active Directory Federation Services

Active Directory Federation Services (AD FS) is a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. It uses a claims-based access control authorization model to maintain application security and implement federated identity.

Active Directory Federation Services

What is Claim?

Claim is piece of information that describes given identity on some aspect. Take claim as name-value pair. Claims are held in authentication token that may have also signature so you can be sure that token is not tampered on its way from remote machine to your system.

Claims-based authentication

Claims-based authentication is more general authentication mechanism that allows users to authenticate on external systems that provide asking system with claims about user.

Claims-based authentication

1.User makes request to some application.2.System redirects user to authentication page of external system (it may also happen after system lets user to select external system where he or she wants to log in).3.After successful authentication external system redirects user back with some information.4.Application makes request to external system to validate user.5.If user is valid then user gets access to application.

SharePoint 2013 ADFS Prerequisites

1) Create DNS Entry

2) Create a Service Account

3) Create ADFS Certificate Template

4) Request Certificates

Create DNS Entry

Create a Service Account

Create ADFS Certificate Template

Create ADFS Certificate Template

Request Certificates

Request Certificates Certificates:

1. Service Communications

2. Token Decrypting

3. Token Signing

Installing AD FS v2◦ download the ADFS 2.0 installation

Installing AD FS v2◦ Right click “AdfsSetup.exe” and “Run as administrator”◦ Click “Next >” on the “Welcome to the AD FS 2.0 Setup Wizard” screen◦ Accept the terms of the license and click “Next >” ◦ On the “Server Role” screen select the “Federation server” radio button and click “Next >” to continue◦ Click “Next >” on the “Install Prerequisite Software” screen◦ Leave the “Start the AD FS 2.0 Management snap-in when this wizard closes.” checkbox selected and

click “Finish” to launch the post installation “AD FS 2.0 Federation Server Configuration Wizard”

Initial Configuration Click the “AD FS 2.0 Federation Server Configuration Wizard” link

Select the “Create a new Federation Service” radio button and click “Next >”

Initial Configuration Select the SSL certification that was previously created. For Service Communications

Specify the ADFS service account and password that was created during the prerequisite phase

Some Demo =)

AD FS V3?Differences:

AD FS is no longer dependent on IIS. This offers enhanced performance and reduces the foot print of services, especially when AD FS is installed on Active Directory domain controllers.

Remote installation and configuration through Server Manager.

UI support for installing AD FS with SQL Server

Group Managed Service Account support. This enables AD FS to be run with service accounts without managing expiring service account passwords.

SQL Server merge replication support when deploying AD FS across globally dispersed datacenters.

Note that in Windows Server® 2012 R2, the ‘stand-alone’ mode for AD FS setup has been removed.

Web Application proxy

Web Application proxy Web Application Proxy – a new Remote Access role service in Windows Server® 2012 R2 - to provide reverse proxy functionality for corporate web applications and services.

Web Application Proxy also functions as an AD FS proxy.

Questions & Discussion

Click icon to add picture