AD FS: installation and configuration of an SSO and directory federation portal


Windows Server 2019

Introduction

In this article, I propose to discover the AD FS and Proxy (WAP) roles. As part of the preparation for the 70-742 certification, I embarked on the mock-up of an infra.

What’s this ?

ADFS and the proxy that accompanies it can put several things in place:

  • An SSO system (for compatible applications) that allows single sign-on
  • Security by managing authentication before application
  • Cross-domain trust through ADFS proxy communication (different from domain trust within the active directory).

Prerequisites

For the realization of this tutorial here are the machines used:

  • LAB-AD1 : AD / DHCP / DNS / IIS
  • LAB-ADFS : ADFS
  • LAB-ADFS-PROXY : Proxy WAP (normally to be placed in DMZ)
  • A client
  • Generate a certificate for HTTPS binding with ADFS services (fs.lab.intra) and install it on the ADFS server in the personal store.
  • Generate a certificate for the HTTPS link for the test site (* .lab.intra) and install it on the IIS server in the personal store.

To avoid an SSL error, install the certificate as a trusted root certification authority on the servers.

I used the AD1 server to have a test web page. On the client to run the federation url must point to the proxy.

To generate the certificates, I used itisscg. I put it to you because the publisher’s website is no longer available.




Leave a Comment