This topic describes how a multi-tenant SaaS application can support authentication via AD FS, in order to federate with a customer's AD FS. Azure Active Directory [Azure AD] makes it easy to sign in users from Azure AD tenants, including Office365 and Dynamics CRM Online customers. But what about customers who
use on-premise Active Directory on a coporate intranet? One option is for these customers to sync their on-premise AD with Azure AD, using Azure AD Connect. However, some customers may be unable to use this approach, due to corporate IT policy or other reasons. In that case, another option is to federate through Active Directory Federation Services
[AD FS]. To enable this scenario: There are three main roles in the trust relation:Federating with a customer's AD FS
Overview
Note: In this chapter, we assume the application uses OpenID connect as the authentication protocol. Another option is to use WS-Federation.
For OpenID Connect, the SaaS provider must use AD FS 4.0 running in Windows Server 2016, which is currently in Technical Preview. AD FS 3.0 does not support OpenID Connect.
ASP.NET Core does not include out-of-the-box support for WS-Federation.
For an example of using WS-Federation with ASP.NET 4, see //github.com/Azure-Samples/active-directory-dotnet-webapp-wsfederation
Authentication flow
- When the user clicks "sign in", the application redirects to an OpenID Connect endpoint on the SaaS provider's AD FS.
- The user enters his or her organizational user name [""]. AD FS uses home realm discovery to redirect to the customer's AD FS, where the user enters their credentials.
- The customer's AD FS sends user claims to the SaaS provider's AD FS, using WF-Federation [or SAML].
- Claims flow from AD FS to the app, using OpenID Connect. This requires a protocol transition from WS-Federation.
Limitations
At the time of this writing, the application gets a limited set of claims in the OpenID id_token. AD FS 4.0 is in still preview, so this list might change. But if your app requires additional claims, that's currently not possible, and important to note before you proceed.
Currently, the following claims are sent in the id_token:
aud | Audience — the application that the claims were issued for. |
authenticationinstant | Authentication instant |
c_hash | Code hash value |
exp | Expiration time |
iat | Issued at |
iss | Issuer. The value of this claim is always the resource partner's AD FS, not the customer's AD FS. [In other words, this claim will identify the SaaS provider as the issuer, rather than the customer.] |
name | User name. Example: . |
nameidentifier | Name identifier |
nonce | Session nonce |
upn | User principal name [UPN]. Example: |
In particular, note that the "iss" claim does not specify the customer's AD FS. To know the cutomer's domain, you will need to look at the UPN. The rest of this topic describes how to set up the trust relationship between the RP [the app] and the account partner [the customer].
AD FS deployment
The SaaS provider can deploy AD FS either on-premise or on Azure VMs. For security and availability, the following guidelines are important:
- Deploy at least two AD FS servers and two AD FS proxy servers to achieve the best availability of the AD FS service.
- Domain controllers and AD FS servers should never be exposed directly to the Internet and should be in a virtual network with direct access to them.
- Web application proxies [previously AD FS proxies] must be used to publish AD FS servers to the Internet.
To set up a similar topology in Azure requires the use of Virtual networks, NSG’s, azure VM’s and availability sets. For more details, see Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines [MSDN].
Configure the application to use OpenID Connect authentication with AD FS
The SaaS provider must enable OpenID Connect between the application and AD FS. To do so, add an application group in AD FS. You can find detailed instructions in this blog post, under " Setting up a Web App for OpenId Connect sign in AD FS." Then configure the OpenID Connect middleware. The metadata endpoint is //domain/adfs/.well-known/openid-configuration, where domain is the SaaS provider's AD FS domain.
Typically you might combine this with other OpenID Connect endpoints [such as AAD]. You'll need two different sign-in buttons or some other way to distinguish them, so that the user is sent to the correct authentication endpoint.
Configure the AD FS Resource Partner
The SaaS provider must do the following for each customer that wants to connect via ADFS:
- Add a claims provider trust.
- Add claims rules.
- Enable home-realm discovery.
Here are the steps in more detail.
Add the claims provider trust
- In Server Manager, click Tools, and then select AD FS Management.
- In the console tree, under AD FS, right click Claims Provider Trusts. Select Add Claims Provider Trust.
- Click Start to start the wizard.
- Select the option "Import data about the claims provider published online or on a local network". Enter the URI of the customer's federation metadata endpoint. [Example: //contoso.com/FederationMetadata/2007-06/FederationMetadata.xml.] You will need to get this from the customer.
- Complete the wizard using the default options.
Edit claims rules
- Right-click the newly added claims provider trust, and select Edit Claims Rules.
- Click Add Rule.
- Select "Pass Through of Filter an Incoming Claim" and click Next.
- Enter a name for the rule.
- Under "Incoming claim type", select UPN.
- Select "Pass through
all claim values".
- Click Finish.
- Repeat steps 2 - 7, and specify Anchor Claim Type for the incoming claim type.
- Click OK to complete the wizard.
Enable home-realm discovery
Run the following PowerShell script:
Set-ADFSClaimsProviderTrust -TargetName "name" -OrganizationalAccountSuffix @["suffix"]
where "name" is the friendly name of the claims provider trust, and "suffix" is the UPN suffix for the customer's AD [example, "corp.fabrikam.com"].
With this configuration, end users can type in their organizational account, and AD FS automatically selects the corresponding claims provider. See Customizing the AD FS Sign-in Pages, under the section "Configure Identity Provider to use certain email suffixes".
Configuring the AD FS Account Partner
The customer must do the following:
- Add a relying party [RP] trust.
- Adds claims rules.
Add the RP trust
- In Server Manager, click Tools, and then select AD FS Management.
- In the console tree, under AD FS, right click Relying Party Trusts. Select Add Relying Party Trust.
- Select Claims Aware and click Start.
- On the Select Data Source page, select the option "Import data about the claims provider published online or on a local network". Enter the URI of the SaaS provider's federation metadata endpoint.
- On the Specify Display Name page, enter any name.
- On the Choose Access Control Policy
page, choose a policy. You could permit everyone in the organization, or choose a specific security group.
- Click Next to complete the wizard.
Add claims rules
- Right-click the newly added relying party trust, and select Edit Claim Issuance Policy.
- Click Add Rule.
- Select "Send LDAP Attributes as Claims" and click Next.
- Enter a name for the rule, such as "UPN".
- Under Attribute store, select Active Directory.
- In the Mapping of LDAP attributes section:
- Under LDAP Attribute, select User-Principal-Name.
- Under Outgoing Claim Type, select UPN.
Click Finish.
Click Add Rule again.
Select "Send Claims Using a Custom Rule" and click Next.
Enter a name for the rule, such as "Anchor Claim".
Under Custom rule, enter the following:
EXISTS[[Type == "//schemas.microsoft.com/ws/2014/01/identity/claims/anchorclaimtype"]]=> issue [Type = "//schemas.microsoft.com/ws/2014/01/identity/claims/anchorclaimtype", Value = "//schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"];
This rule maps the UPN claim to the Anchor claim.
Click Finish.
Click OK to complete the wizard.