Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
MarkandTomhereagain,continuingourseriesonADFS.Inthispost,we'llshowyouhowtousesomesamplecodeto
configureawebapplicationforWebSingleSignOn(WebSSO)withADFS.
WhileFederatedWebSingleSignon(henceforth,SSO)iswhentwoorganizationscreateafederationtrustbetweeneach
otherforthepurposeofsharingapplicationswhilestillusingtheirowncredentials,mostofourcustomersaresettingup
ADFSforusingWebSSO.
WebSSOiswhenaclaimsawarewebapplication,eitheronpremiseoroffpremise,isconfiguredtoenableuserstologin
totheapplicationusingtheirexistingActiveDirectorycredentials.GreatexamplesoftheseareServiceNowforyour
helpdesk,DynamicsCRMOnlineforCRM,oranOffice365SharePointsiteforcollaboration.InatypicalWebSSO
transaction,theenduserwillnavigatedirectlytothewebapplicationandthewebapplicationwilldeterminethatthe
userisnotauthorizedandredirectthemtotheirADFSserver.There,theyauthenticateusingintegratedWindows
authenticationorbytypingintheircredentials.Finally,theygetredirectedbacktotheapplicationwithaSAMLtoken.
TheapplicationwillthenverifytheSAMLtokenandthewebapplicationwillthenload.
ThekeytorememberhereisthattheclaimsawareapplicationnevercommunicateswiththeADFSserverdirectly.The
client'sbrowserhandlestheresponsibilityofauthenticatingagainsttheADFSserverandthenthebrowserreceivesthe
SAMLtoken,whichitsubmitstotheapplication.ThisisthereasonthatWebSSOisdescribedasapassiverequestthe
browserisn'ttrulySSOawarebutisstillcapableofbrokeringthetransaction.
Havingasampleclaimsawarewebsitethatyoucaninstall,thatalsoshowstheclaimsthatarebeingsent,canimmensely
helpinunderstandingWebSSO,howtoconfiguretheADFScomponents,andhowtotroubleshoottheclaimsthatare
beingsent.Onceyouhavethissolidfoundation,onboardingmoreWebSSOapplicationsforyourusersshouldbemuch
easier.
Therequirementsareprettysimple.Youneed:
AnADFSServer.Morethanone,loadbalancedandusingaSQLbackendforprod.But,sincethisisallabout
buildingalab,oneisjustfine.Forthepurposesofthisseries,itshouldbeonWindowsServer2012or2012R2.
Anattributestore.ThiswillbeActiveDirectory,SQLServer,oranLDAPprovider.Since99.9%ofyou
(completelyscientificstatistic)willlikelyuseActiveDirectoryDomainServices,we'lltalkaboutthat.Wealso
won'ttalkaboutdeployingAD,sinceyou'reprobablyalreadydonewiththat.
Aclaimsawarewebapplicationthathasbeenconfiguredtopointtoyoursecuritytokenservice.Thisshouldbe
onitsownIISserver.We'llpointoutsomesamplecode,shareasampletestapplication(Disclaimer:Wearen't
developers),anduseMessageAnalyzertohighlighttheauthenticationflow.
Let'sgettoit!
The Lab
Theforestwe'llbeusingiscalledcorp.milt0r.com.TheADFSserviceURLishttps://sts.milt0r.com.Finally,thetest
applicationwillliveonanIISserverathttps://adfstest.corp.milt0r.com.Inchecklistform,you'llneed:
data:text/htmlcharset=utf8,%3Ch3%20class%3D%22postname%22%20style%3D%22fontweight%3A%20normal%3B%20padding%3A%200px%3B%2 1/6
18/07/2015 HowtoBuildYourADFSLabonServer2012,Part2:WebSSOAskPremierFieldEngineering(PFE)PlatformsSiteHomeTechNetBlogs
AworkingDomainController
AworkingADFSmemberserver.AllofourexamplesrefertoADFS2.1onServer2012,butshouldapplyto2.0on
2008R2aswell,withtheexceptionofthescript.(SeeourpreviousarticletogetADFSsetup)
AworkingIISmemberserver,runningWindowsServer2012orWindowsServer2012R2
Aclientmachinethatisjoinedtoyourlabdomain.
TheURLofyourwebapplication
*Optional*AnSSLcertificateforyourwebapplicationfromatrustedCA
WestartedbygrabbingsomesamplecodefromMSDN.Youcanfindthatcodehere.Thenwewereshownsomemuch
nicerlookingcode(ThanksDave)andusedthatinstead.SinceourprimaryfocusinthispostisconfiguringwebSSOfrom
aninfrastructurestandpoint,wearen'tgoingtocoverthecodeitself.Tomakeiteveneasier,weincludedaPowerShell
scriptthatwillsetitallupforyou.Bothareattachedatthebottomofthispost.Makesuretoreadthedisclaimer
Setup Script
Thesetupscriptisgoingtodothefollowing:
Createaselfsignedcertificate
ConfigureIIS(apppool,newsite,HTTPSbinding)
Modifytheapplication'sweb.configfileandfederationmetadatadocumenttocontainyourSTSURLand
applicationURL.
ThescriptrequiresWindowsServer2012or2012R2.ItwillnotworkonWindowsServer2008R2.Beforerunningit,
you'llneedtocollectsomeinformation.Thoseitemsare:
Thefullyqualifieddomainnameofyourtestapp.(ex:MyTestApp.corp.contoso.com)
ThenameofyourADFSserver
Youwillneedtomanuallyperformthefollowing:
RegisteranArecordinyourDNSzoneforthetestapplication
EnsurethePowerShellexecutionpolicyonyourIISserverissettoremotesigned,andyou'verunUnblockFileon
thescript,orsetthepolicytounrestricted.
Onceyou'vegotthat,copytheZIPfilecontentsuptotheIISserver.Unzipthescripttoafolder,andmovetheentire
deployfolderfromthezipfiletoalocationonthesystemdrive.Now,runthescript.Theparametersarepretty
straightforward:
Theparametersareasfollows:
SourcePath:Thisshouldbethepathtothewebsitecodewe'veprovided.Intheexample,wehadcopiedthesite
datafromthezipfiletoc:\temp\deploy.
SiteName:ThiswillbethenameofthetestsiteinIIS,aswellastheapplicationpool
SitePhysicalPath:Thelocationondiskwherethetemplatesitewillbecopied.WeusedC:\sites\adfstest.
ADFSServer:Thehostname/FQDNofyourADFSserver(notthefriendlyname,butactualhostname).
AppFQDN:Thefullqualifieddomainnameofyourtestapplication.ThiswillbesetasabindingonthesiteinIIS.
Thescriptwillinstalleverythingyouneed,includingthenecessaryfeaturesandroles.
data:text/htmlcharset=utf8,%3Ch3%20class%3D%22postname%22%20style%3D%22fontweight%3A%20normal%3B%20padding%3A%200px%3B%2 2/6
18/07/2015 HowtoBuildYourADFSLabonServer2012,Part2:WebSSOAskPremierFieldEngineering(PFE)PlatformsSiteHomeTechNetBlogs
AtermyoushouldbeveryfamiliarwithinADFSis"RelyingParty."Butwhat'sarelyingparty?Who'srelyingonwhat?
TheRPcanbeacoupleofthings,sosimplysaying"RelyingParty"isvague.RelyingPartycanreferto:
RelyingPartyApplication
Thisistheapplicationorservicethatreliesontheclaimsforauthentication.
Relying Party Trust
TherelyingpartytrustistheconnectionbetweentherelyingpartyapplicationandourADFS
infrastructure.It'swhatweconfigureinADFStomakethewholethingwork.
We'vealreadygotourrelyingpartyapplicationconfigured,thankstothescriptandfilesabove.Next,we'llneedtosetup
therelyingpartytrustbetweentheapplicationandtheADFSserver.Tosetupthetrust,you'llneedthefollowing
information:
OpenuptheADFSManagementconsoleandrightclickon"RelyingPartyTrusts"then"AddRelyingPartyTrust."
Clickstartinthefirstscreen.Onthe"Welcome"stepiswherewe'llspecifythelocationforthefederationmetadata
document.Here,youshouldbeabletoentertheURLtothemetadatadocument.Ifthecertificateyouusedintheappisn't
trustedbytheADFSserver,andyouusetheImportdataabouttherelyingpartypublishedonlineoronalocal
networkoption,itwillfail.So,ifyouusedourhandyscriptabove,youcaneither1)trusttheselfsignedSSLcertonthe
ADFSserveror2)Usethe2 ndoptionImportdataabouttherelyingpartyfromafile.
Ifyouhadtousethe2 ndoption,itshouldlooksomethinglikethis:
data:text/htmlcharset=utf8,%3Ch3%20class%3D%22postname%22%20style%3D%22fontweight%3A%20normal%3B%20padding%3A%200px%3B%2 3/6
18/07/2015 HowtoBuildYourADFSLabonServer2012,Part2:WebSSOAskPremierFieldEngineering(PFE)PlatformsSiteHomeTechNetBlogs
NoticethatwehadtousetheUNCpathtothefile,insteadoftheURL.Ifthefederationmetadataisn'tpublishedor
available,thisisalsoavalidwaytoconfiguretherelyingpartytrust.
Clicknext.Onthefollowingscreen,enteradescriptivenamefortheapplication,aswellasanynotesonwhythis
particularrelyingpartytrustsexists(processowner,appowner,relatedprocesses,etc).
ClickNext.OntheChooseIssuanceAuthorizationRulesscreen,makesurePermitalluserstoaccesstherelyingpartyis
selected.Ifyoudidn'twantuserstohaveaccess,youcoulddenyallbydefault,thengobackandadd"Allow"rulesafter.
We'llcoverthatlater.
OntheReadytoAddTrustscreen,reviewthesettingsandclickNext.Finally,clickClose.Congratulations,you've
configuredtherelyingpartytrust!Nowlet'stest!
Caveat:IfyourSTSisinadomainthatisNOTinthesamedomainasyourmachine,forexampletheSTSURLinthispost
issts.milt0r.com,buttheclientworkstationisincorp.milt0r.com,you'llneedtoaddsts.milt0r.comtoyourintranetzone
inIEtopermitWindowsAuthentication.Todothat,inIEgotoInternetOptions>Securitytab>LocalIntranet>
ClicktheSitesbutton>Advanced.There,addyourSTSURL(ie,https://sts.milt0r.com)tothelist.ClickOK.
Onyourclientmachine,navigatetoyourapplicationURL.Youshouldseesomethinglikethis:
data:text/htmlcharset=utf8,%3Ch3%20class%3D%22postname%22%20style%3D%22fontweight%3A%20normal%3B%20padding%3A%200px%3B%2 4/6
18/07/2015 HowtoBuildYourADFSLabonServer2012,Part2:WebSSOAskPremierFieldEngineering(PFE)PlatformsSiteHomeTechNetBlogs
Youmightendupwithacertificateerrorifyoudidn'ttrustthecertificate.But,ifyouseethisscreen,you'vesuccessfully
configuredwebsinglesignonbetweenyourapplicationandADFS.Theboxthatsays"IssuedIdentity"iswhereyou'll
seeanyconfiguredclaims.We'llcoverthatmoreinthenextpostinthisseries.
Now,let'stakealookatwhattheauthenticationflowlookslikeinMessageAnalyzer.
First,weranklistpurgeontheclientmachine,andopenedanInPrivatebrowsersession,justtomakesurewedidn'tuse
anyoldcookies.UsingMessageAnalyzer'swebproxyandNDISproviders,we'reabletoviewtheunencryptedtrafficas
capturedontheclient.NavigatingtotheapplicationURL,theconversationlooksliketheimagebelow.
1)Thebrowserconnectstothewebapplication.Sincewe'reusingpassiveclaims,thewebappprovidesa302redirectto
thebrowser,pointingittotheADFSservice(Frame114)
Ifwedigintotheframedetails,wecanpullouttheentireredirectURL:
2)Inthenextframes,wecanseethebrowserconnecttotheADFSserviceandreceivesa401challenge.
3)HavingpurgedourKerberostickets,weseethefullAS/TGSexchange.In262275,weseetheauthenticationservice
requestsandreplies.In284and288,weseetheticketgrantingservicerequestforourSTShttp/sts.milt0r.com.We've
authenticatedandreceivedaKerberosticket.
data:text/htmlcharset=utf8,%3Ch3%20class%3D%22postname%22%20style%3D%22fontweight%3A%20normal%3B%20padding%3A%200px%3B%2 5/6
18/07/2015 HowtoBuildYourADFSLabonServer2012,Part2:WebSSOAskPremierFieldEngineering(PFE)PlatformsSiteHomeTechNetBlogs
4)WepresenttheservicetickettotheSTSandareauthorized.TheADFSserviceprocessesourrequestand,assumingthe
relyingpartytrustisinplace,knowswhetherornottoissueanyclaimsandwhatthoseclaimsshouldbe.Thesecurity
tokenispackagedupandreturnedintheHTTPreply.
5)Finally,thebrowserprovidestheSAMLtokentotherelyingpartyapplication.Basedonthecontentsofthetoken,the
usermayormaynotbeauthorized.Inourtestapp,wegetareplybackfromtheserverthatcontainsalloftheclaimsin
ourtoken.
WrapUp
WehopethisposttakesyouonestepfurtherintheprocessofgettingyourADFSlabbuiltandconfigured.Atthispointin
theseries,you'vebuiltanADFSserver,installedatestapplicationontheIISserver,andconfiguredarelyingpartytrust
betweenthetestapplicationandtheADFSservice.Inthenextfewpostsintheserieswe'llcoverfederatingbetweentwo
organizations,claimrules,andmore.Staytuned!
AhugethankstoDaveGregoryforprovidingthemuchnicerthanwebuiltClaimsWebapplicationandsomeinvaluable
feedback.
TomMoser&MarkMorowczynski
@milt0r/@markmorow
data:text/htmlcharset=utf8,%3Ch3%20class%3D%22postname%22%20style%3D%22fontweight%3A%20normal%3B%20padding%3A%200px%3B%2 6/6