Departmental Application Migration to Azure - Part 2 – ADFS InstallationSolution ·
This is part of a series of blogs. See the preceding blog entries:
Let’s start with ADFS.
First of all, why using ADFS on this project? In short but mystical terms: to extend the corporate identity to the cloud. In layman terms, to allow Windows Azure to authenticate a corporate user without passing through the corporate firewall. To illustrate this, let’s look at the architecture without ADFS:
Basically, the user, sitting behind the corporate firewall, contacts the application deployed in the cloud. But since there is no relationship between our Corporate Active Directory and Windows Azure, the application is unable to authenticate the user.
Enters Active Directory Federation Services 2.0. ADFS is a service in front of your Active Directory. It uses AD to authenticate you and packages a SAML token for the application (called a relying party in the context of claims based security) to use. The relationship between ADFS and the application is a trust relationship: there are no network connections between the application and ADFS. Basically, your application is configured to accept SAML tokens from your ADFS.
The typical flow for authentication is the following:
- User connect to the web application
- The web application checks for an authentication cookie, doesn’t find one. It forwards the user to an ADFS login page.
- The user automatically authenticates (being on its corporate network).
- ADFS posts the SAML token back to the application
- The application creates a cookie
- The user has access to the application
Actually, ADFS version 2.0 enables much more than that. It moves away from Active Directory role based access control (RBAC) to claims based. I encourage you to read the excellent Guide to Claims-Based Identity and Access Control book available on Microsoft downloads to learn more about the exciting world of Claims based security.
You can download ADFS version 2.0 here. Straightforward to install. You need to reboot after the install and then configure the service on your machine, using the ADFS add-on on your Administrative tools.
Here I’ll show you how I configured it on my virtual machine. I was doing a demo-type of installation, so I didn’t worry about scalability or robustness. My installation was equivalent to installing SharePoint entirely on one server using SQL Express.
On the first screen, I chose to create a new Federation Service (since there was none yet).
On the second screen, I chose the stand-alone federation server installation.
On the next screen, I have to pick a certificate I just created in order to continue. To learn how to create a self-signed certificate, read this.
On the next screen, nothing needs to be done. It’s the last step before the actual configuration is implemented.
The next screen shows the progress of the configuration going on.
With this ADFS is installed on your machine. On the next blog entry, I’ll configure ADFS to work with my application (relying party).