Before we begin the configuration part, we need to understand some of the basic concepts which are highly required for the better understanding of Federation trust relationship know as ADFS Trust in modern days.
What is Federation Trust(AD FS Trusts):
Active Directory Federation Services (AD FS) to enable efficient and secure online transactions between partner organizations that are joined by federation trust relationships.Below picture explains it fantastically
In the above Illustration, Resource Partner Organization(RPO) provides the ADFS-Enabled Application which is already integrated with RPO’s AD FS and it is workings fine.. Account Partner Organization(APO) where the partner Accounts relies and wants to access the AD FS-Enabled Application of Resource partner Organization. basically many of the known application providers will supports for single Identity providers. Federation trust resolves this problem. How?? Since the application is already integrated and it will not take another identity provider, We can create the AD FS trust between both the organizations using AD FS.
An Example, Windowstechpro.Com is the resource provider organization and APP1.Winodwstechpro.com is AD FS-Enabled Application and ABC.Com is Account Partner Organization. once the Federation trust created. any users of ABC.Com trying to access APP1.Windowstechpro.com, Ideally the request will go to the Windowstechpro.com domain’s ADFS Server.When they credentials entered as User1@ABC.Com, Windowstechpro’s ADFS Server will understand that the Claims provider is ABC.Com and the request will get redirected to ABC.Com’s ADFS Servers. Once the account is validated and the cookie will get passed on to Windowstechpro.com’s ADFS server and the token will get passed to the APP1 by the ADFS Server of Windowstechpro.com
ADFS provides authorization, authentication and Single Sign-On (SSO) functionality to web applications and services located virtually anywhere, including perimeter networks, partner organizations & cloud.
Believe that I have explained clearly. Now let’s see what is the benefits of the ADFS trusts.
1. It is very secure and there will be always secure communication between both the domains.
2. There is no direct communications required between the domains apart from Port: 443 open to access for ADFS Servers
3. The transactions always will be in Secured
What is required to Configure ADFS trust:
1. Both domains should have ADFS Servers configured and accessible from the internet
2. SSL Port 443 should be open towards ADFS Server from the other domains.
Okay. Let’s get started.
Windowstechpro.com is the Resource partner Organization and ABC.Com is Accounts Partner Organization.
in our case, ADFS Servers in both the domains has been already setup and ready to create the trust. Refer the article for ADFS Installation.
1. Creating Relay Party in the Accounts Partner Organization
ON ABC Domain’s ADFS Server, Open AD FS Management Console and Click on Add Relay Party Trust
Enter the Display Name and Click Next
We have added the Relay Party and Click on Add Rule to customize the Claims
2. Creating Claims Provider Trusts in the Resource Partner Organization
Open AD FS Management –>Claims Provider Trusts –> Click on Add Claims Provider Trust
Select the Claims as shown below, If you required more claims to be transformed for your applications, You can go ahead and add more based your requirements
That is it.. We have created Federation Trust Successfully.
Okay. Let’s test the federation whether it is working as required.
Open Windowstechpro Domain ADFS Idpinitiatedsignon page.
Click on Sign in Now
Note: Carefully watch the magic now, You’re in the Windowstechpro ADFS Page and Clicking on Sign in
If you see, it is prompting for abcfs.abc.com but still the page shows Wprofs.Windowstechpro.com
That is it!!. All are done. You can see it is very simple and easy to setup.Isn’t it??.