How to: Configure AD FS 2.0 as an Identity Provider

Updated: June 19, 2015

Applies To: Azure

Applies To

  • Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS)

  • Active Directory® Federation Services 2.0

Summary

This How To describes how to configure as an identity provider. Configuring as identity provider for your ASP.NET web application will allow your users to authenticate to your ASP.NET web application by logging on to their corporate account managed by Active Directory.

Contents

  • Objectives

  • Overview

  • Summary of Steps

  • Step 1 - Add AD FS 2.0 as an Identity Provider in the ACS Management Portal

  • Step 2 - Add a Certificate to ACS for Decrypting Tokens Received from AD FS 2.0 in the ACS Management Portal (Optional)

  • Step 3 - Add Your Access Control namespace as a Relying Party in AD FS 2.0

  • Step 4 - Add Claim Rules for the Access Control namespace in AD FS 2.0

Objectives

  • Configuring trust between ACS and .

  • Improving security of token and metadata exchange.

Overview

Configuring as the identity provider enables reusing existing accounts managed by corporate Active Directory for authentication. It eliminates the need for either building complex account synchronization mechanisms or developing custom code that performs the tasks of accepting end user credentials, validating them against the credentials store, and managing the identities. Integrating ACS and is accomplished by configuration only—no custom code is needed.

Summary of Steps

  • Step 1 - Add AD FS 2.0 as an Identity Provider in the ACS Management Portal

  • Step 2 - Add a Certificate to ACS for Decrypting Tokens Received From AD FS 2.0 in the ACS Management Portal (Optional)

  • Step 3 - Add Your Access Control namespace as a Relying Party in AD FS 2.0

  • Step 4 - Add Claim Rules for the Access Control namespace in AD FS 2.0

Step 1 - Add AD FS 2.0 as an Identity Provider in the ACS Management Portal

This step adds as an identity provider in the ACS Management Portal.

To add AD FS 2.0 as an identity provider in the Access Control namespace

  1. In the ACS Management Portal main page, click Identity Providers.

  2. Click Add Identity Provider.

  3. Next to Microsoft Active Directory Federation Services 2.0, click Add.

  4. In the Display name field, enter a display name for this identity provider. Note that this name will appear both in the ACS Management Portal and by default on the login pages for your applications.

  5. In the WS-Federation metadata field, enter the URL to the metadata document for your instance, or use the File option to upload a local copy of the metadata document. When using a URL, the URL path to the metadata document can be found in the Service\Endpoints section of the Management Console. The next two steps deal with login page options for your relying party applications; they are optional and can be skipped.

  6. If you want to edit the text that is displayed for this identity provider on the login pages for your applications, enter the desired text in the Login link text field.

  7. If you want to display an image for this identity provider on the login pages for your applications, enter a URL to an image file in the Image URL field. Ideally, this image file should be hosted at a trusted site (using HTTPS, if possible, to prevent browser security warnings), and you should have permission from your partner to display this image. See help on Login Pages and Home Realm Discovery for additional guidance on login page settings.

  8. If you want to prompt users to log on using their email address instead of clicking a link, then enter the email domain suffixes that you want to associate with this identity provider in the Email domain name(s) field. For example, if the identity provider hosts user accounts whose email addresses end with @contoso.com, then enter contoso.com. Use semicolons to separate the list of suffixes (for example, contoso.com; fabrikam.com). See help on Login Pages and Home Realm Discovery for additional guidance on login page settings.

  9. In the Relying party applications field, select any existing relying party applications that you want to associate with this identity provider. This causes the identity provider to appear on the login page for that application and it enables claims to be delivered from the identity provider to the application. Note that rules still need to be added to the application's rule group that define which claims to deliver.

  10. Click Save.

Step 2 - Add a Certificate to ACS for Decrypting Tokens Received From AD FS 2.0 in the ACS Management Portal (Optional)

This step adds and configures a certificate for decrypting tokens that are received from . This is an optional step that helps in strengthening security. Specifically, it helps in protecting the token’s contents from being viewed and tampered with.

To add a certificate to the Access Control namespace for decrypting tokens received from AD FS 2.0 (optional)

  1. If you were not authenticated using Windows Live ID (Microsoft account), you will be required to do so.

  2. After being authenticated with your Windows Live ID (Microsoft account), you are redirected to the My Projects page on the Microsoft Azure portal.

  3. Click the desired project name on the My Project page.

  4. On the Project:<<your project name>> page, click the Access Control link next to the desired namespace.

  5. On the Access Control Settings: <<your namespace>> page, click the Manage Access Control link.

  6. On the ACS Management Portal main page, click Certificates and Keys.

  7. Click Add Token Decryption Certificate.

  8. In the Name field, enter a display name for the certificate.

  9. In the Certificate field, browse for the X.509 certificate with a private key (.pfx file) for this Access Control namespace, and then enter the password for the .pfx file in the Password field. If you do not have a certificate, then follow the on-screen instructions to generate one, or see help on Certificates and Keys for additional guidance on obtaining a certificate.

  10. Click Save.

Step 3 - Add Your Access Control namespace as a Relying Party in AD FS 2.0

This step helps to configure ACS as a relying party in .

To add the Access Control namespace as a relying party in AD FS 2.0

  1. In the Management console, click AD FS 2.0, and then, in the Actions pane, click Add Relying Party Trust to start the Add Relying Party Trust Wizard.

  2. On the Welcome page, click Start.

  3. On the Select Data Source page, click Import data about the relying party published online or on a local network, type the name of your Access Control namespace, and then click Next.

  4. On the Specify Display Name page, enter a display name, and then click Next.

  5. On the Choose Issuance Authorization Rules page, click Permit all users to access this Relying Party, and then click Next.

  6. On the Ready to Add Trust page, review the relying party trust settings, and then click Next to save the configuration.

  7. On the Finish page, click Close to exit the wizard. This also opens the Edit Claim Rules for WIF Sample App properties page. Leave this dialog box open, and then go to the next procedure.

Step 4 - Add Claim Rules for the Access Control namespace in AD FS 2.0

This step configures claims rules in . This way, you ensure that the desired claims are passed from to ACS.

To add claim rules for the Access Control namespace in AD FS 2.0

  1. On the Edit Claim Rules properties page, on the Issuance Transform Rules tab, click Add Rule to start the Add Transform Claim Rule Wizard.

  2. On the Select Rule Template page, under Claim rule template, click Pass Through or Filter an Incoming Claim on the menu, and then click Next.

  3. On the Configure Rule page, in Claim rule name, type a display name for the rule.

  4. In the Incoming claim type drop-down list, select the identity claim type you want to pass through to the application, and then click Finish.

  5. Click OK to close the property page and save the changes to the relying party trust.

  6. Repeat steps 1-5 for each claim that you want to issue from to your Access Control namespace.

  7. Click OK.