Solved

Creating ADFS to connect to a partner site for SSO

Posted on 2015-01-22
4
403 Views
Last Modified: 2015-02-04
Hello Everyone,
Our HR Dept purchased some software that is in the cloud and the software company wants me to create a SAML authetication method for SSO. I'm guessing i can do this with ADFS, but I've never set one up before. I found a couple sites that talk about integrating it with Sharepoint but we need to point it to something like this:

https://domain.com/Authentication/saml20/FederationMetadata 

If someone could point me in the right direction i would be grateful. I currently have a Domain with windows 200R2 DC's. The two sites I found are:

ADFS SharePoint

ADFS with Windows 2012 R2

the top link uses Windows 2008 R2 and the bottom uses Windows 2012 R2. Not sure if one is better than the other.
0
Comment
Question by:msidnam
  • 2
4 Comments
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 100 total points
ID: 40564630
Personally, I would be using the complete step by step guide found on MS technet. Below is the library where all of them are houses. You need to choose the step-by-step guide which fits your requirements.

ADFS 2.0 Step-by-step guide library

Will.
0
 
LVL 2

Author Comment

by:msidnam
ID: 40567412
I saw that first, but I wasn't using anything that the docs mentioned. i guess the closest thing would be "ADFS 2.0 Step-by-Step Guide: Federation with IBM Tivoli Federated Identity Manager ", but since ive never set one up im not 100% sure.
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 400 total points
ID: 40568466
The difference between ADFS 2.0 (2008 R2) and 3.0 (2012 R2)

ADFS 2.0 use IIS at backend and ADFS 3.0 do not have IIS (not required)

ADFS 2.0 does support SQL as database but you need some command line work to do because GUI did not support direct SQL Connection
ADFS 3.0 have proper GUI to connect to SQL database
All though ADFS can be work on Windows internal Database (WID), it is not recommended for production use
Multi-factor authentication support is enabled with ADFS 3.0
ADFS proxy of ADFS 2.0 component is replaced with Web authentication proxy (WAP) in ADFS 3.0 which is having more features, you can publish applications as well either through ADFS or u can use pass-thru authentication
With ADFS 3.0 you can enable windows 8 workspace join feature
ADFS 3.0 supports GMSA (group managed service accounts) as service accounts

I would recommend ADFS 3.0

Setup ADFS 1st
Check all prerequisites correctly, also be informed that ADFS server \ web proxy component needs to be published on internet, so you do required public domain name, hostname and IP and SSL certificate
Also you do need HA (TWO ADFS servers in corporate and TWO WAP servers in DMZ (may be you can put ADFS servers directly in DMZ and skip WAP)
You need to setup basic functional ADFS infra.

Once your base infra get ready, you can ask software company to provide procedure to setup claim based authentication with ADFS and so on.

U will get MS \ other blogs to setup basic ADFS infra correctly
0
 
LVL 2

Author Comment

by:msidnam
ID: 40574006
thank you both for the info. I am out of town until next week and i think i will start installing ADFS on server 2012.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question