2.4 Complete ADFS server configuration
We now need to complete the configuration of
the ADFS servers and assign permissions. In this section, we will
configure a trust policy for each ADFS server, set up group claims to
provide access to the application, and configure connectivity to each
AD forest from the respective ADFS server. During the configuration, we
will refer to the internal ADFS server as the account federation server
because users on this side of the federated trust will be accessing
resources in the extranet. We will refer to the extranet federation
server as the resource federation server because users will access the
Web application on this side of the federated trust.
We first need to configure the account
federation server (dc1.syngress.com). This will involve configuring the
trust policy, exporting the trust policy so it can later be imported on
the resource federation server, and connect the ADFS server to the
internal AD forest by creating an account store. To configure the
account federation server, perform the following tasks:
-
Log on to the account federation server (dc1.syngress.com) and open Server Manager.
-
Expand the nodes Roles | Active Directory Federation Services | Federation Service.
-
Right-click the Trust Policy node and select Properties.
-
We now need to create the federation URI that will be used to uniquely identify this service. In the Federation Service URI text box, type urn:federation:syngress (see Figure 15). Note that the URI is case sensitive.
-
The federation service endpoint URL should
already be prepopulated with a URL that points to the ADFS server. If
this is correctly pointed to the ADFS server, accept the default URL
and then click the Display Name tab.
-
Enter a meaningful name to identify this trust policy, for example, Account Domain (Syngress.com), then click OK.
You now need to export the trust policy
so that it can later be imported on the resource federation server. To
export the trust policy from the account ADFS server, perform the
following tasks:
-
Open Server Manager.
-
Expand the nodes Roles | Active Directory Federation Services | Federation Service.
-
Right-click on the Trust Policy node and select the option Export Basic Partner Policy.
-
In the Export Basic Partner Policy dialog
box, browse to the path and enter a file name for the policy to be
exported, for example, C:\dc1.syngress.com_trustpolicy.xml, then click OK.
-
Copy the trust policy file to the resource federation server.
You now need to create a group claim on
the account federation server. This group claim will be used to provide
access to the claims application via the resource federation server. To
create the group claim, perform the following tasks on the account ADFS
server (dc1.syngress.com):
-
Open Server Manager.
-
Expand the nodes Roles | Active Directory Federation Services | Federation Service | Trust Policy | My Organization.
-
Right-click the Organization Claims node and select New | Organization Claim.
-
Enter a name for the claim, for example, Syngress Claim, then click OK.
We now need to connect the account ADFS
server (dc1.syngress.com) with the internal AD domain. This is done by
creating an Account Store on the ADFS server. To create an account
store, perform the following tasks on dc1.syngress.com:
-
Open Server Manager.
-
Expand the nodes Roles | Active Directory Federation Services | Federation Service | Trust Policy | My Organziation.
-
Right-click on the Account Store node and choose New | Account Store. This will launch the Add Account Store Wizard.
-
Click Next to begin.
-
Choose the option Active Directory Domain Services and click Next.
-
Ensure that the option to Enable this account store is selected and click Next.
-
Click Finish to create the account store.
We now need to map an AD global group to
the group claim that we previously created. This group is how you will
provide users access to the application in the extranet. Any user added
to the group mapped to the group claim will be given SSO access to the
extranet Web application. To create the group-to-group claim mapping,
perform the following tasks on the account federation server
(dc1.syngress.com):
-
Open Server Manager.
-
Expand the nodes Roles | Active Directory Federation Services | Federation Service | Trust Policy | My Organziation | Account Stores.
-
Right-click Active Directory and select New | Group Claim Extraction.
-
Click Add to add an AD global group and then select the claim to map the group to (see Figure 16), for example, the Syngress Claim set up previously. Then click OK.
We have now successfully set up the
account ADFS server and now need to configure the resource ADFS server
(dc2.extranet.syngress.net). To configure the resource federation
server, perform the following tasks:
-
Log on to the server dc2.extranet.syngress.net.
-
Open Server Manager.
-
Expand the nodes Roles | Active Directory Federation Services | Federation Service.
-
Right-click on the Trust Policy node and select Properties.
-
On the General tab, enter a federation service URI in the text box. For example, urn:federation:resource. Remember the URI is case sensitive.
-
Verify whether the Federation service endpoint URL is pointed to the ADFS server (
https://dc2.extranet.syngress.net/adfs/ls
) as seen in Figure 17. Then click the Display Name tab.
-
Enter a meaningful name for the trust policy, for example, Resource Domain Policy (Syngress Extranet), then click OK.
This will configure the resource trust
policy. You should now export this policy using the same steps you used
to export the policy for the account federation server. After exporting
the policy, copy it to the account federation server (dc1.syngress.com).
We now need to create a group claim for the resource side. To create the group claim, perform the following tasks:
-
Open Server Manager.
-
Expand the nodes Roles | Active Directory Federation Services | Federation Service | Trust Policy | My Organization.
-
Right-click the Organization Claims node and select New | Organization Claim.
-
Enter a meaningful name for the claim, for example, Extranet Claim, then click OK.
After creating the group claim, we need
to add the AD account store. Follow the same steps as you did for the
account federation server to add the extranet domain account store.
After adding the account store, you will need to add the claims-aware
Web application to the extranet ADFS server. To do this, perform the
following tasks:
-
Open Server Manager.
-
Expand the nodes Roles | Active Directory Federation Services | Federation Service | Trust Policy | My Organization.
-
Right-click on Applications and select New | Application. This will launch the Add Application Wizard. Click Next to begin.
-
Select the option Claims-aware application and then click Next.
-
Enter a descriptive name and the secure URL for the Web application (see Figure 18), then click Next.
-
Select the type of identity claim that you
want to use with the application. In most cases, you will want to use
the User Principal Name (UPN) option. Select the UPN option and then click Next.
-
Ensure that Enable this application is selected, then click Next.
-
Click Finish to complete the Add Application Wizard.
-
You now need to enable the claim for the application. Select the newly created application (Extranet Application) under the applications node.
-
Right-click the Extranet Claim and choose Enable (see Figure 19).
We are now ready to import the trust
policy from one ADFS server to the other. You should have already
exported each trust policy and copied it to the other server. On the
account ADFS server, we will be importing the trust policy for a new
resource partner and on the resource ADFS server, we will be importing
the trust policy for a new account partner. To import the trust policy
on the account ADFS server (dc1.syngress.com), perform the following
tasks:
-
Open Server Manager.
-
Expand the nodes Roles | Active Directory Federation Services | Federation Service | Trust Policy | Partner Organizations.
-
Right-click the Resource Partners node and select New | Resource Partner. This will launch the Add Resource Partner Wizard. Click Next to begin.
-
Select the Yes option that you do have a Resource Partner Policy file.
-
Browse to the policy file that you copied from the resource ADFS server (see Figure 20), then click Next.
-
Verify the resource partner details and click Next.
-
Choose the option Federated Web SSO. If there were an AD trust relationship setup between the two forests, you would choose the option Federated Web SSO with Forest Trust. Since there is no preestablished trust relationship, choose the Federated Web SSO option, then click Next.
-
Verify that the UPN Claim and Email Claim options are selected and then click Next.
-
Select the option to replace all UPN suffixes with following and then enter the internal domain name, syngress.com. Then click Next.
-
Select the option to replace all email suffixes with the following and then enter the internal domain name, syngress.com. Then click Next.
-
Verify whether the option to Enable this resource partner is selected and then click Next.
-
Click Finish to complete the import of the trust policy.
You now need to add the trust policy for
the account ADFS server to the resource ADFS server
(dc2.extranet.syngress.net). To import the policy, log on to the server
dc2.extranet.syngress.net and perform the following tasks:
-
Open Server Manager.
-
Expand the nodes Roles | Active Directory Federation Services | Federation Service | Trust Policy | Partner Organizations.
-
Right-click on the Account Partners node and select New | Account Partner. This will launch the Add Account Partner Wizard. Click Next to begin.
-
Click Yes that you do have an Account Partner Policy File.
-
Browse to the trust policy file that was exported from the account partner (see Figure 21), then click Next.
-
Verify whether the partner details point to the account partner, dc1.syngress.com, then click Next.
-
Ensure that the option to Use the verification certificate in the policy file is selected and then click Next.
-
Select the Federated Web SSO option, then click Next.
-
Ensure that the options to use UPN claim and Email claim are selected, then click Next.
-
Add the domain syngress.com to the accepted UPN suffixes (see Figure 22), then click Next.
-
Add the domain syngress.com to the accepted Email suffixes, then click Next.
-
Ensure that the option to Enable this account partner is selected, then click Next.
-
Click Finish to complete the Add Account Partner Wizard.
We now simply need to link the two claim mappings, Syngress Claim and Extranet Claim. This is done by logging onto the resource ADFS server (dc2.extranet.syngress.net) and performing the following tasks:
-
Open Server Manager.
-
Expand the nodes Roles | Active Directory Federation Services | Federation Service | Trust Policy | Partner Organizations | Account Partners.
-
Right-click the new account partner you just set up and select the option New | Incoming Group Claim Mapping (see Figure 23).
-
Enter the name of the group claim that was set up on the account federation server (Syngress Claim) in the Incoming Group claim name field and select Extranet Claim from the Organization Group Claim down-down list (see Figure 24). Then click OK.
Finally, we need to map the Extranet
Claim to a global group in the extranet AD forest. You will then
configure your application to allow this group access. To map the
extranet claim to a resource group, perform the following tasks:
-
Open Server Manager.
-
Expand the nodes Roles | Active Directory Federation Services | Federation Service | Trust Policy | My Organization.
-
Select the node Organization Claims and right-click the Extranet Claim in the middle pane and select Properties.
-
Select the Resource Group tab in the Group Claim Properties window.
-
Select the option Map this claim to the following resource group and then browse to the resource group you want to add (see Figure 25). Then click OK.
You should now be able to
provide domain users in the syngress.com domain access to the extranet
application by simply providing the domain users' global group in the
extranet.syngress.net domain access to the application.