Federated Identities to Windows Azure Pack through AD FS – Part 3 of 3

In few of the previous posts, Anders Ravnholt discussed Installation & Configuration of WAP and Reconfiguration with FQDNs, ports and Trusted Certificates in detail. In this series, I will discuss how to configure AD FS and enable it to provide Identities to your WAP installation.

Scenario

Contoso Inc. is a Service Provider that hosts a private cloud stack and offers Compute resources to their customers. Contoso wants to install a Windows Azure Pack stack and

  1. Provide administrative access to users from its own Active Directory
  2. Provide self-service access to the Tenant Portal to users from Fabrikam Corp, one of its customers.

We will run through this scenario in 3 parts:

In the first part of this blog series, we discussed how Contoso can set up an AD FS Farm in their Corp domain pcloud.contoso.corp.

In the second part, we discussed how Contoso can set up trust between the AD FS instance and the WAP Admin Portal and provides its users, access to the Management Portal.

In this third part, we will discuss how Contoso can enable Fabrikam's users to access the Tenant portal by establishing trust between Fabrikam's AD FS and Contoso's AD FS and Contoso's AD FS and the WAP Tenant Portal.

   
 

Personas

Rob is a Fabric Administrator who is responsible for maintaining the infrastructure. Rob was tasked with installing the Windows Azure Pack Stack for Contoso Inc.

Mary is the Domain administrator for pcloud.contoso.corp domain in Contoso's Active Directory. Mary has necessary permissions to configure the AD FS linked to the domain.

George is the domain administrator of Fabrikam.corp domain. He has the necessary credentials to federate Fabrikam's AD FS with Contoso's AD FS.

Assumptions and Scope

In this post, the following are the assumptions about the environment:

  • Windows Azure Pack is already set up in the pcloud.contoso.corp domain
  • AD FS is enabled and configured for the pcloud.contoso.corp domain
  • AD FS is enabled and configured for the Fabrikam.corp domain
  • All the components in the environment have been configured with certificates from a Trusted CA
  • Both Contoso and Fabrikam have setup the necessary DNS routing to talk to each other     

We also assume the following about you, the reader:

Overview of Scenario

Before I move on to explain how federation is established, I would like to give you an overview of the steps that need to be completed to get this working.

  1. Add the WAP Tenant Portal as a Relying Party to Contoso's AD FS
    This is done so that the AD FS knows that the Tenant Portal will be relying on it to provide authenticated Identities. This process has been explained in the second part of the blog series in the context of the Admin Portal.
  2. Add Contoso's AD FS as Claims Provider to the WAP tenant Portal
    This is done so that the Tenant Portal knows that AD FS is the entity that provides User Claims and that the users will have to authenticate against it. This process has been explained in the second part of the blog series in the context of the Admin Portal.

A similar relationship exists between Contoso's AD FS and Fabrikam's AD FS,

  1. Add Contoso's AD FS as a Relying Party to Fabrikam's AD FS
    This is done so that Fabrikam's AD FS knows that Contoso's AD FS will rely on it to authenticate users within its own realm
  2. Add Fabrikam's AD FS as a Claims Provider to Contoso's AD FS
    This is done to tell Contoso's ADFS that it can trust Fabrikam's AD FS and that it will be one of the trusted Claims Providers in the Federation Chain

All four of these steps have to be completed for the proper trusts to be established and enable users to login to the system.

Establish trust between Contoso's AD FS and WAP Tenant Portal

Adding a WAP Tenant Portal as a Relying Party to Contoso's AD FS

This process has already been explained in the second part of the blog series in the context of the Admin portal. We will go over it again here briefly.
Mary, Contoso's Domain Administrator, has to add the WAP Tenant Portal as a relying party with AD FS which tells AD FS that the Tenant Portal will be looking to get tokens from it. To do that Mary kicks off the "Add Relying party trust Wizard" from the AD FS Console

She enters the federation metadata information for the WAP Tenant Portal which is typically
<https://<<tenant portal url>>/federationmetadata/2007-06/federationmetadata.xml

Mary provides a friendly name for the Tenant Portal and proceeds with the rest of the wizard leaving default values.

Now Mary adds Claim Transformation Rules to the Tenant Portal, similar to the ones added to the Admin Portal (per the second part of this blog series).

Additionally, she ensures that the Tenant portal gets JWT Claims by using the Set-ADFSRelyingPartyTrust cmdlet. (Again, per the second part of this blog series)

    1: Set-AdfsRelyingPartyTrust -TargetIdentifier 'https://azureservices/TenantSite' -EnableJWT $true

Adding Contoso's AD FS as a Claims Provider to the Tenant Portal

Rob, who is the Fabric Administrator, logs on to the WAP box to complete the second half of this handshake. He runs the following script on the WAP Tenant Portal to let the Portal know it needs to Rely on AD FS for identities

    1: $fqdn = 'adfs.pcloud.contoso.corp'
    2: $dbServer = 'ContosoWAP'
    3: $dbPassword = 'pass@word1'
    4: $portalConfigStoreConnectionString = [string]::Format('Data Source={0};Initial Catalog=Microsoft.MgmtSvc.PortalConfigStore;User ID=sa;Password={1}', $dbServer, $dbPassword)
    5:  
    6: Set-MgmtSvcRelyingPartySettings -Target Tenant `
    7: -MetadataEndpoint https://$fqdn/FederationMetadata/2007-06/FederationMetadata.xml `
    8: -ConnectionString $portalConfigStoreConnectionString

Add Fabrikam's AD FS as Claims Provider to Contoso's AD FS

  1. Mary, the Domain Administrator for the pcloud.contoso.corp domain opens the AD FS console and clicks "Add Claims Provider Trust" from the Actions pane on the right.

  2. In the Select Data Source screen, she enters the address to the Federation Metadata information of Fabrikam's AD FS. It is typically https:// <adfs federation servicename>/federationmetadata/2007-06/federationmetadata.xml
    Alternatively, the file can also be downloaded from the above location and imported into the wizard

  3. The next step is to provide a friendly name  for the Fabrikam AD FS. For easy identification, let's call it, well,  Fabrikam AD FS

  4. The remaining steps in the wizard deals with configuring Multifactor Authentication, Issuance Authorization rules etc which are not currently needed for this scenario and so she leaves them as is with the default values and completes the wizard. In the final step, Mary ensures that the "Open the Edit Claim Rules dialog.." checkbox is checked and clicks "Close"

  5. In the "Add Transform Claim rule Wizard" , the Claim rule template should be selected as " "Send LDAP Attributes as Claims"   and click Next

    In the next step, Mary provides a Friendly rule name and selects the Attribute store as Active Directory and in the Mapping table, maps User-Principal-Name  to UPN outgoing claim.
     
    A similar process is repeated for adding Group Claims. Select Token-Groups – Qualified by Domain to map to Group outgoing claim
     

  6. In some cases a UPN might already be available to AD FS. To handle these scenarios, there are two additional rules that need to be added to flow the UPN claims through as-is. In the "Add Transform Claim rule Wizard" select, "Pass Through or Filter an Incoming Claim"  
     
           
    in the next step, she provides a friendly name to the rule, and specifies the Incoming Claim Type as UPN and clicks Finish
              
    Mary clicks on Yes in the AD FS Management Popup

    A similar process is repeated for the Group Claim         
            

  7. Now that all four rules are added for this relying party, she finally clicks on Apply and is done with the Claim Transformation Rules  

  8. Once this is done Mary needs to ensure that when users are redirected to the ADFS from the WAP Tenant Portal, they should be taken directly to Fabrikam’s   AD FS page for authentication. This is done by the following cmdlet

        1: Set-AdfsRelyingPartyTrust -TargetName "WAP Tenant Portal" -ClaimsProviderName @("Fabrikam AD FS")
    

Adding Contoso AD FS as a Relying Party to Fabrikam's AD FS

To complete the second part of the handshake, George, who is the Domain Administrator for Fabrikam should add Contoso's AD FS as a Relying Party. This is the same process as adding a Claims Provider and has pretty much the same set of steps:

  1. Enters the location to the Federation metadata of Contoso's AD FS

  2. Specifies a friendly name to the registered Relying Party

  3. Clicks through the rest of the wizard by choosing appropriate values or the default ones depending on his preferences. On completing the wizard, he is shown the 'Add Transform Claim Rule Wizard'

  4. In the "Add Transform Claim rule Wizard" , the Claim rule template should be selected as " "Send LDAP Attributes as Claims"   and click Next
        

  5. In the next step, he provides a Friendly rule name and selects the Attribute store as Active Directory and in the Mapping table, maps User-Principal-Name  to UPN outgoing claim.
         

  6. A similar process is repeated for adding Group Claims. Select Token-Groups – Qualified by Domain to map to Group outgoing claim
          

  7. In some cases a UPN might already be available to AD FS. To handle these scenarios, there are two additional rules that need to be added to flow the UPN claims through as-is. In the "Add Transform Claim rule Wizard" select, "Pass Through or Filter an Incoming Claim"  
          

  8. In the next step, he provides a friendly name to the rule, and specifies the Incoming Claim Type as UPN and clicks Finish
              

    A similar process is repeated for the Group Claim         
            

  9. Now that all four rules are added for this relying party, he finally clicks on Apply and is done with the Claim Transformation Rules  

  10. Once this is done, George needs to ensure that JWT tokens are issued to Contoso's AD FS. This is done by the following Powershell

        1: Set-ADFSRelyingPartyTrust -TargetIdentifier https://adfs.pcloud.contoso.corp/adfs/services/trust -EnableJWT $true 
    

         

  11. That’s it! Smile Now when users access the Tenant Portal, they will be redirected to Contoso AD FS which will then redirect them to Fabrikam AD FS. The Fabrikam AD FS will then authenticate the user

  12. Once authenticated, users will be redirected all the way back to the WAP Tenant Portal to access their resources!