SharePoint 2013 and ADFS
Download as PPTX, PDF1 like1,507 views
Active Directory Federation Services (AD FS) allows single sign-on access across organizational boundaries using claims-based authentication. AD FS maintains application security by implementing a claims-based authorization model where claims describe user identity attributes. Claims are held in authentication tokens that can be validated. With claims-based authentication, an external system authenticates a user and redirects them back to the application with claims about the user, allowing access if validated. Configuring AD FS in SharePoint 2013 requires setting up DNS, service accounts, certificates, and installing/configuring AD FS. AD FS version 3 improvements include reduced dependency on IIS, remote management, SQL replication, and a new Web Application Proxy for reverse proxy and AD FS proxy functionality.
SharePoint 2013 and ADFS
- 1. SharePoint 2013 and ADFS MAXIM ZHVIRBLYA EPAM SYSTEMS © 2014
- 2. Active Directory Federation Services Active Directory Federation Services (AD FS) is a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. It uses a claims- based access control authorization model to maintain application security and implement federated identity.
- 3. Active Directory Federation Services
- 4. What is Claim? Claim is piece of information that describes given identity on some aspect. Take claim as name- value pair. Claims are held in authentication token that may have also signature so you can be sure that token is not tampered on its way from remote machine to your system.
- 5. Claims-based authentication Claims-based authentication is more general authentication mechanism that allows users to authenticate on external systems that provide asking system with claims about user.
- 6. Claims-based authentication 1.User makes request to some application. 2.System redirects user to authentication page of external system (it may also happen after system lets user to select external system where he or she wants to log in). 3.After successful authentication external system redirects user back with some information. 4.Application makes request to external system to validate user. 5.If user is valid then user gets access to application.
- 7. SharePoint 2013 ADFS Prerequisites 1) Create DNS Entry 2) Create a Service Account 3) Create ADFS Certificate Template 4) Request Certificates
- 9. Create a Service Account
- 10. Create ADFS Certificate Template
- 11. Create ADFS Certificate Template
- 13. Request Certificates Certificates: 1. Service Communications 2. Token Decrypting 3. Token Signing
- 14. Installing AD FS v2 ◦ download the ADFS 2.0 installation
- 15. Installing AD FS v2 ◦ Right click “AdfsSetup.exe” and “Run as administrator” ◦ Click “Next >” on the “Welcome to the AD FS 2.0 Setup Wizard” screen ◦ Accept the terms of the license and click “Next >” ◦ On the “Server Role” screen select the “Federation server” radio button and click “Next >” to continue ◦ Click “Next >” on the “Install Prerequisite Software” screen ◦ Leave the “Start the AD FS 2.0 Management snap-in when this wizard closes.” checkbox selected and click “Finish” to launch the post installation “AD FS 2.0 Federation Server Configuration Wizard”
- 16. Initial Configuration Click the “AD FS 2.0 Federation Server Configuration Wizard” link Select the “Create a new Federation Service” radio button and click “Next >”
- 17. Initial Configuration Select the SSL certification that was previously created. For Service Communications Specify the ADFS service account and password that was created during the prerequisite phase
- 18. Some Demo =)
- 19. AD FS V3? Differences: AD FS is no longer dependent on IIS. This offers enhanced performance and reduces the foot print of services, especially when AD FS is installed on Active Directory domain controllers. Remote installation and configuration through Server Manager. UI support for installing AD FS with SQL Server Group Managed Service Account support. This enables AD FS to be run with service accounts without managing expiring service account passwords. SQL Server merge replication support when deploying AD FS across globally dispersed datacenters. Note that in Windows Server® 2012 R2, the ‘stand-alone’ mode for AD FS setup has been removed. Web Application proxy
- 20. Web Application proxy Web Application Proxy – a new Remote Access role service in Windows Server® 2012 R2 - to provide reverse proxy functionality for corporate web applications and services. Web Application Proxy also functions as an AD FS proxy.