In ad fs, what are the account partner and resource partner with respect to the trust relationship?
This topic describes how a multi-tenant SaaS application can support authentication via AD FS, in order to federate with a customer's AD FS. Azure Active Directory (Azure AD) makes it easy to sign in users from Azure AD tenants, including Office365 and Dynamics CRM Online customers. But what about customers who
use on-premise Active Directory on a coporate intranet? One option is for these customers to sync their on-premise AD with Azure AD, using Azure AD Connect. However, some customers may be unable to use this approach, due to corporate IT policy or other reasons. In that case, another option is to federate through Active Directory Federation Services
(AD FS). To enable this scenario: There are three main roles in the trust relation:
For an example of using WS-Federation with ASP.NET 4, see https://github.com/Azure-Samples/active-directory-dotnet-webapp-wsfederation Authentication flow
LimitationsAt the time of this writing, the application gets a limited set of claims in the OpenID id_token. AD FS 4.0 is in still preview, so this list might change. But if your app requires additional claims, that's currently not possible, and important to note before you proceed. Currently, the following claims are sent in the id_token:
In particular, note that the "iss" claim does not specify the customer's AD FS. To know the cutomer's domain, you will need to look at the UPN. The rest of this topic describes how to set up the trust relationship between the RP (the app) and the account partner (the customer). AD FS deploymentThe SaaS provider can deploy AD FS either on-premise or on Azure VMs. For security and availability, the following guidelines are important:
To set up a similar topology in Azure requires the use of Virtual networks, NSG’s, azure VM’s and availability sets. For more details, see Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines (MSDN). Configure the application to use OpenID Connect authentication with AD FSThe SaaS provider must enable OpenID Connect between the application and AD FS. To do so, add an application group in AD FS. You can find detailed instructions in this blog post, under " Setting up a Web App for OpenId Connect sign in AD FS." Then configure the OpenID Connect middleware. The metadata endpoint is https://domain/adfs/.well-known/openid-configuration, where domain is the SaaS provider's AD FS domain. Typically you might combine this with other OpenID Connect endpoints (such as AAD). You'll need two different sign-in buttons or some other way to distinguish them, so that the user is sent to the correct authentication endpoint. Configure the AD FS Resource PartnerThe SaaS provider must do the following for each customer that wants to connect via ADFS:
Here are the steps in more detail. Add the claims provider trust
Edit claims rules
Enable home-realm discoveryRun the following PowerShell script: Set-ADFSClaimsProviderTrust -TargetName "name" -OrganizationalAccountSuffix @("suffix") where "name" is the friendly name of the claims provider trust, and "suffix" is the UPN suffix for the customer's AD (example, "corp.fabrikam.com"). With this configuration, end users can type in their organizational account, and AD FS automatically selects the corresponding claims provider. See Customizing the AD FS Sign-in Pages, under the section "Configure Identity Provider to use certain email suffixes". Configuring the AD FS Account PartnerThe customer must do the following:
Add the RP trust
Add claims rules
What is account partner organization?The account partner organization contains the users that will access Web-based applications in the resource partner. Administrators in this organization must use the AD FS Management snap-in to create relying party trusts to represent their trust relationships with resource partner organizations.
Which relationship allows federated services to access resources?A federation partner that is represented by a relying party trust in the Federation Service. The resource partner issues claims-based security tokens that contains published Web-based applications that users in the account partner can access.
What is ADFS relying party trust?In ADFS you configure a relying party trust to tell ADFS where it can expect claims to come from - it will trust the relying party so that when a user is authenticated they can be redirected back to that application (you don't want to give a user a token to present to an application you do not trust).
What is the function of the federation service role service?Active Directory Federation Services is a feature and web service in the Windows Server Operating System that allows sharing of identity information outside a company's network. It authenticates users with their usernames and passwords.
|