Federation Trust

Before we begin the configuration part, we need to understand some of the basic concepts which are highly required for the better understanding of Federation trust relationship know as ADFS Trust in modern days.

What is Federation Trust(AD FS Trusts):

Active Directory Federation Services (AD FS) to enable efficient and secure online transactions between partner organizations that are joined by federation trust relationships.Below picture explains it fantastically

1

In the above Illustration, Resource Partner Organization(RPO) provides the ADFS-Enabled Application which is already integrated with RPO’s AD FS and it is workings fine.. Account Partner Organization(APO) where the partner Accounts relies and wants to access  the AD FS-Enabled Application of Resource partner Organization. basically many of the known application providers will supports for single Identity providers. Federation trust resolves this problem. How?? Since the application is already integrated and it will not take another identity provider, We can create the AD FS trust between both the organizations using AD FS.

An Example, Windowstechpro.Com is the resource provider organization and APP1.Winodwstechpro.com is AD FS-Enabled Application and ABC.Com is Account Partner Organization. once the Federation trust created. any users of ABC.Com trying to access APP1.Windowstechpro.com, Ideally the request will go to the Windowstechpro.com domain’s ADFS Server.When they credentials entered as User1@ABC.Com, Windowstechpro’s ADFS Server will understand that the Claims provider is ABC.Com and the request will get redirected to ABC.Com’s ADFS Servers. Once the account is validated and the cookie will get passed on to Windowstechpro.com’s ADFS server and the token will get passed to the APP1 by the ADFS Server of  Windowstechpro.com

ADFS provides authorization, authentication and Single Sign-On (SSO) functionality to web applications and services located virtually anywhere, including perimeter networks, partner organizations & cloud.

Believe that I have explained clearly. Now let’s see what is the benefits of the ADFS trusts.

1. It is very secure and there will be always secure communication between both the domains.

2. There is no direct communications required between the domains apart from Port: 443 open to access for ADFS Servers

3. The transactions always will be in Secured

What is required to Configure ADFS trust:

1. Both domains should have ADFS Servers configured and accessible from the internet

2.  SSL Port 443 should be open towards ADFS Server from the other domains.

Okay. Let’s get started.

Here,

Windowstechpro.com is the Resource partner Organization and ABC.Com is Accounts Partner Organization.

in our case, ADFS Servers in both the domains has been already setup and ready to create the trust. Refer the article for ADFS Installation.

1. Creating Relay Party in the Accounts Partner Organization

ON ABC Domain’s ADFS Server, Open AD FS Management Console and Click on Add Relay Party Trust

You can use the Federation Metadata URL if it open to outside world else you can download the XML file and map it for the integration and Click Next

4

Enter the Display Name and Click Next

5

Click on Next

6

Click on Next

9

We have added the Relay Party and Click on Add Rule to customize the Claims

10

Select Send LDAP Attributes as Claims and Click on Next

11

Select the Claims as shown below, If you required more claims to be transformed for your applications, You can go ahead and add more based your requirements

12

We have done the changes required in the ABC.COM ADFS Servers.

2. Creating Claims Provider Trusts in the Resource Partner Organization

Open AD FS Management –>Claims Provider Trusts –> Click on Add Claims Provider Trust

14

Click on Start to begin the installation

15

You can use the Federation Metadata URL if it open to outside world else you can download the XML file and map it for the integration and Click Next

16

Provide the Display Name and Click on Next

19

Select the Claims as shown below, If you required more claims to be transformed for your applications, You can go ahead and add more based your requirements

20

That is it.. We have created Federation Trust Successfully.

Okay. Let’s test the federation whether it is working as required.

Open Windowstechpro Domain ADFS Idpinitiatedsignon page.

https://wprofs.windowstechpro.com/adfs/ls/idpinitiatedsignon.aspx

Click on Sign in Now

Note: Carefully watch the magic now, You’re in the Windowstechpro  ADFS Page and Clicking on Sign in

You can see there are two accounts providers Available since we have added abc.com now. By default it will be one, Select abcfs.abc.com and Click on Next

21

If you see, it is prompting for abcfs.abc.com but still the page shows Wprofs.Windowstechpro.com

23

as soon as the credentials, the page is getting redirected to abcfs,abc.com and gets the credentials validated by the ABC.Com Domain controllers.

24

Post successful validation, the token from the abcfs.abc.com gets handed over to Wprofs.Windowstechpro.com and provided access successfully.

25

That is it!!. All are done. You can see it is very simple and easy to setup.Isn’t it??.

#FederationServices #ADFStrust #federationtrusts #domainsintegration #Trusts

Leave a comment

Your email address will not be published. Required fields are marked *