How to Configure ADFS Trust with Partner organization using ADFS 3.0

Before we begin the configuration part, we need to understand some of the basic concepts which are highly required for the better understanding of Federation trust relationship know as ADFS Trust in modern days.

What is Federation Trust(AD FS Trusts):

Active Directory Federation Services (AD FS) to enable efficient and secure online transactions between partner organizations that are joined by federation trust relationships.Below picture explains it fantastically

1

In the above Illustration, Resource Partner Organization(RPO) provides the ADFS-Enabled Application which is already integrated with RPO’s AD FS and it is workings fine.. Account Partner Organization(APO) where the partner Accounts relies and wants to access  the AD FS-Enabled Application of Resource partner Organization. basically many of the known application providers will supports for single Identity providers. Federation trust resolves this problem. How?? Since the application is already integrated and it will not take another identity provider, We can create the AD FS trust between both the organizations using AD FS.

An Example, Windowstechpro.Com is the resource provider organization and APP1.Winodwstechpro.com is AD FS-Enabled Application and ABC.Com is Account Partner Organization. once the Federation trust created. any users of ABC.Com trying to access APP1.Windowstechpro.com, Ideally the request will go to the Windowstechpro.com domain’s ADFS Server.When they credentials entered as User1@ABC.Com, Windowstechpro’s ADFS Server will understand that the Claims provider is ABC.Com and the request will get redirected to ABC.Com’s ADFS Servers. Once the account is validated and the cookie will get passed on to Windowstechpro.com’s ADFS server and the token will get passed to the APP1 by the ADFS Server of  Windowstechpro.com

ADFS provides authorization, authentication and Single Sign-On (SSO) functionality to web applications and services located virtually anywhere, including perimeter networks, partner organizations & cloud.

Believe that I have explained clearly. Now let’s see what is the benefits of the ADFS trusts.

1. It is very secure and there will be always secure communication between both the domains.

2. There is no direct communications required between the domains apart from Port: 443 open to access for ADFS Servers

3. The transactions always will be in Secured

What is required to Configure ADFS trust:

1. Both domains should have ADFS Servers configured and accessible from the internet

2.  SSL Port 443 should be open towards ADFS Server from the other domains.

Okay. Let’s get started.

Here,

Windowstechpro.com is the Resource partner Organization and ABC.Com is Accounts Partner Organization.

in our case, ADFS Servers in both the domains has been already setup and ready to create the trust. Refer the article for ADFS Installation.

1. Creating Relay Party in the Accounts Partner Organization

ON ABC Domain’s ADFS Server, Open AD FS Management Console and Click on Add Relay Party Trust

2 3You can use the Federation Metadata URL if it open to outside world else you can download the XML file and map it for the integration and Click Next

4

Enter the Display Name and Click Next

5

Click on Next6

Click on Next 7 8 9

We have added the Relay Party and Click on Add Rule to customize the Claims

10

Select Send LDAP Attributes as Claims and Click on Next11

Select the Claims as shown below, If you required more claims to be transformed for your applications, You can go ahead and add more based your requirements12

13 We have done the changes required in the ABC.COM ADFS Servers.

2. Creating Claims Provider Trusts in the Resource Partner Organization

Open AD FS Management –>Claims Provider Trusts –> Click on Add Claims Provider Trust

14

Click on Start to begin the installation15

You can use the Federation Metadata URL if it open to outside world else you can download the XML file and map it for the integration and Click Next 16

Provide the Display Name and Click on Next 17 18 19

Select the Claims as shown below, If you required more claims to be transformed for your applications, You can go ahead and add more based your requirements

20

That is it.. We have created Federation Trust Successfully.

Okay. Let’s test the federation whether it is working as required.

Open Windowstechpro Domain ADFS Idpinitiatedsignon page.

https://wprofs.windowstechpro.com/adfs/ls/idpinitiatedsignon.aspx

Click on Sign in Now

Note: Carefully watch the magic now, You’re in the Windowstechpro  ADFS Page and Clicking on Sign in

26You can see there are two accounts providers Available since we have added abc.com now. By default it will be one, Select abcfs.abc.com and Click on Next

21

If you see, it is prompting for abcfs.abc.com but still the page shows Wprofs.Windowstechpro.com

22 23

as soon as the credentials, the page is getting redirected to abcfs,abc.com and gets the credentials validated by the ABC.Com Domain controllers.24

Post successful validation, the token from the abcfs.abc.com gets handed over to Wprofs.Windowstechpro.com and provided access successfully.25

That is it!!. All are done. You can see it is very simple and easy to setup.Isn’t it??.

Author Bio

Radhakrishnan Govindan

2 thoughts on “How to Configure ADFS Trust with Partner organization using ADFS 3.0”

  1. Hi RK,
    This is Praveena from Wipro server ops team.First time I am reading your blog’s it’s really fantastic and easy to understand.Thank you so much and keep updating the blog’s to help us to update the knowledge.

Leave a Reply

Your email address will not be published. Required fields are marked *