search
About UsTrust and Security

Setting up ADFS with Straatos

This articles describes Setting up ADFS with Straatos.

This article describes how to configure a local Windows Active Directory to be used with Straatos to provide a Single-Sign On experience for the users. This requires the use of the Active Directory Federation Services.

hashtag
Prerequisites

  • Active Directory Domain Services (ADDS) installed.

  • SSL Certificate.

hashtag
Installing Active Directory Federation Services (ADFS)

  1. Open the Server Manager on your local machine, click the “Dashboard” tab, click “Add Roles and Features”.

  1. Under the “Add Roles and Features" wizard, on the installation type tab, select “Role-based or feature-based installation”.

  1. On the “Server Selection” tab, select “Select a server from the server pool”. Choose “Microsoft Windows Server 2012 R2 Datacenter” server.

  1. On the “Server Roles” tab, select “Active Directory Federation Services.

  1. On the “Features” tab, click Next.

  1. On the “ADFS” tab, click Next.

  1. On the “Confirmation” tab, click Install.

hashtag
Configuring Active Directory Federation Services (ADFS)

After installing ADFS on your local machine, you will need to connect it to the ADDS instance and upload the SSL Certificate:

  1. After installing ADFS, a notification icon will appear in the Server Manager window.

  1. Click the icon to reveal a drop-down menu and click "Configure the federation service on this server”.

  1. On the “Welcome” tab of the Wizard, select “Create the first federation server in a federation server farm”.

  1. On the “Connect to ADDS” tab, the administrator account will be pre-selected. Click Next.

  1. On the “Specify Service Properties” tab, click Import and select your SSL Certificate of your domain.

  1. Enter a “Federation Service Display Name,” then click Next.

  1. On the “Specify Service Account” tab, there will be an error message:

    1. Group Managed Service Accounts are not available because the KDS Root Key has not been set.

  1. To resolve this error, open Windows PowerShell and run the following command:

    1. Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10).

  1. Back to the ADFS configuration wizard, the error will be gone. Select Create a Group Managed Service Account, provide an account name and click on the Next button.

  1. On the “Specify Database” tab, select “Create a database on this server using Windows Internal Database.” Then click Next.

  1. On the “Review Options” tab, click Next.

  1. On the “Pre-requisites Checks” tab, click configure.

  1. The server will now be installed. Once the installation is complete, you’ll be redirected to the “Results” tab. Click Close.

  1. You have successfully configured and installed ADFS.

hashtag
Configure ADFS as an IDP provider in Local Machine

This will enable sign-in for users with an ADFS account in Azure AD B2C:

  1. In Server Manager, select Tools, and then select ADFS Management.

  1. In ADFS Management, right-click on Application Groups and select Add Application Group.

  1. On the Application Group Wizard Welcome screen:

    1. Enter the Name of your application.

    2. Select the 'Web browser accessing a web application' template under Client-Server applications.

    3. Click Next.

  1. On the Application Group Wizard Native Application screen:

    1. Copy and save the Client Identifier value. The client identifier will be used to add the ADFS instance as a new Open ID Connect IdP.

    2. In Redirect URI, enter: - https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp.

    3. Select Next, and then Next, and then Next again to complete the app registration wizard.

    4. Select Close.

hashtag
Configuring the App Claims

This will set up all claims the ADFS application returns to Azure AD B2C:

  1. In the Application Groups, select the application you created.

  1. In the application properties window, under the Applications, select the Web Application. Then select Edit.

  1. Select the Issuance Transformation Rules tab. Then select Add Rule.

  1. In Claim rule template, select Send LDAP attributes as claims, and then Next.

  1. Provide a Claim rule name. For the Attribute store, select Active Directory, add the following claims.

LDAP attribute
Outgoing claim type

User-Principal-Name

upn

Surname

family_name

Given-Name

given_name

Display-Name

name

E-Mail-Addresses

email

  1. Select Finish.

  1. Select Apply, and then OK.

  1. Select OK again to finish.

hashtag
Email Activation and Login

Once you have received the activation email from CumulusPro, click the first blue link to activate your account and start logging in using your own on-prem login credentials.

Last updated