At the end of the day, there are a couple of protocols that are spoken between partners in an identity federation scenario. No matter where you go, chances are you’ll be dealing with either Security Assertion Markup Language (SAML, pronounced “sam-il”) or WS-Federation (often abbreviated WS-Fed).

For SAML and WS-Fed, the conceptual semantics of how they work is the same, but the formatting of the data is different. In both cases, the IdP generates an Extensible Markup Language (XML) snippet that contains a series of claims about the user in question. Claims are simply attribute/value pairs. Common examples are data points such as the user’s name, email address, employee number, and so forth. This set of claims and the supporting data in the XML comprise the user’s token for access to the RP. The RP uses the claims in the token to authorize the user and provide the necessary functionality in the application.

In order to guarantee that the token was issued by the IdP and that it hasn’t been tampered with, the IdP digitally signs the XML with its token signing certificate. The RP has a copy of the IdP’s token signing certificate public key. When the RP receives a token from the IdP, it uses the public key to confirm that the token is valid.

Now that we’ve discussed the token that the IdP issues, let’s look at an end-to-end example whereby a user wants to access the Fabrikam Payroll website, as shown in Figure 21-2.

Figure 21-2. Federated application access workflow

In this scenario, the following steps occur for a user to access the Fabrikam Payroll website:

You’re probably wondering how all this could possibly work or be efficient with this many redirects and round-trips. Perhaps surprisingly, the process works extremely well and is quite efficient. There are a couple of things that might not be immediately clear from the process flow described here.

The first is step 2. Why does the Fabrikam Payroll website redirect the user to the Fabrikam Federation service versus directly to Coho Vineyard’s ADFS service? The answer here is in the semantics of building applications for federated identity. There are two trust relationships that come into play in Figure 21-2. In the case of the website or applications in general, the application can only trust one federation service. The federation service, however, can trust many other IdPs. Since many customers use the Fabrikam Payroll website, the website has a trust with Fabrikam’s federation service, and then in turn Fabrikam’s federation service trusts each customer (Coho Vineyard and so forth).

With that piece of information in mind, it may become a bit clearer why we need to make two round-trips to the Fabrikam Federation service. In step 6, the user is presented with a token signed by Coho Vineyard’s ADFS server. Since the trust relationship between Coho Vineyard and Fabrikam Payroll is between the federation services, the user must present the signed token back to Fabrikam’s federation service (step 7). Fabrikam’s federation service will then validate the token, and if everything checks out, it will issue a new token that is signed with Fabrikam’s certificate (step 8). Since the Fabrikam Payroll application only trusts Fabrikam’s federation service, the website would not be able to validate the token if it were signed by Coho Vineyard’s ADFS server.

Before moving on, we’ll leave you with a comparative piece of food for thought. If you’re an Active Directory administrator, you’re undoubtedly familiar with Kerberos (Chapter 10). The fundamentals of how identity federation works, as we just discussed, are very similar to Kerberos. Functionally, you can think of the IdP as a domain controller and the RP as an application or server (e.g., a file server). When a user accesses the file server, she must present the file server with a service ticket (the federation token) in order to access the service. The service ticket is encrypted with the service’s secret to ensure that it isn’t tampered with (similar to the signing of the token from the federation service).

Security Assertion Markup Language (SAML) 2.0 is one of the two primary competing standards for passing federation tokens between environments. In the United States, you’ll find SAML to be extremely prevalent in education and government; it is also used in many third-party applications and cloud services. For the external cloud services, supporting SAML is the logical choice for achieving a broad range of compatibility with potential customers.

You can learn quite a bit about SAML on Wikipedia, of all places. We found the whitepaper “How to Study and Learn SAML” to be extremely helpful as well. Finally, the specifications for SAML are available online.

As you read documentation on SAML, you’ll probably notice that the documents discuss the term assertion at great length. In SAML, an assertion is functionally equivalent to the term “token” that we use in this chapter.

WS-Federation is the protocol Microsoft has chosen to adopt in its applications and software development kits (SDKs). In fact, the first version of ADFS, only knew how to speak WS-Federation. This was an issue that greatly impacted the adoption of ADFS, as large portions of the market were inaccessible without a service to convert between SAML and WS-Fed.

If you work with developers who are building .NET applications using Windows Identity Foundation (WIF) or the classes included in the .NET 4.5 Framework, those applications will generally speak WS-Fed in their interactions with the IdP.

The first decision you’ll need to make before you begin deploying ADFS is where to store the ADFS configuration. There are two places where ADFS can store its configuration—: on a Windows Internal Database (WID) instance that’s replicated to each federation server, or in a shared SQL Server environment.

Both options have pros and cons. The WID database is extremely easy to deploy (WID is included with Windows) and comes with no additional licensing costs. WID also removes the single point of failure in a distributed ADFS environment. With WID, each federation server contains a copy of the configuration database. One federation server (usually the first federation server deployed) is designated as the “primary” server. All configuration changes are made on the primary server, and these changes are replicated to all of the “secondary” federation servers every five minutes.

The WID database also has a few limitations. First, it has limitations in terms of performance and capacity in extremely large ADFS deployments. Additionally, storing the configuration database on WID removes support for SAML artifact resolution and token replay detection.

SAML artifacts are a protocol feature specific to SAML (versus WS-Fed). SAML artifacts allow SAML tokens (assertions) to provide a pointer to a piece of data that can be independently retrieved, rather than embedded in the SAML assertion. Since the request to retrieve the artifact will come at a later time, and the request might go to a different federation server, the artifact must be stored in the configuration database to make it globally available.

Token replay detection ensures that a token that is issued by ADFS can’t be reused. ADFS stores information about each token it issues in the configuration database to ensure that a token isn’t subsequently reused. This feature also requires that the configuration database be stored in a shared SQL Server environment versus in WID.

Finally, by using a SQL Server environment, you can take advantage of SQL high-availability features such as clustering and mirroring. These features can be useful in geographic redundancy scenarios, for example. We’ll discuss geographic redundancy in the section “ADFS Topologies”.

The federation server is the heart and soul of an ADFS environment. Federation servers are capable of acting as both IdPs and RPs, depending on the scenario. All of the protocols ADFS speaks (e.g., SAML and WS-Fed) are emitted by the federation server as well.

Proper security (both physical and logical) of the federation server is important. Federation servers are just like domain controllers in that they control access to applications and services. Anyone with access to a federation server could impersonate any user in the organization by creating a false token that is signed with the federation server’s token signing certificate. To a relying party, the token would appear authentic and valid and would be treated just like a token that wasn’t fraudulently issued in this manner.

The federation server proxy is an optional feature that is used to provide a layer between your federation servers and the Internet. Functionally, there’s nothing you can’t do with ADFS if you don’t deploy proxies, but there are some scenarios that are much easier to handle with proxies in the mix.

The main scenario that federation server proxies enable out of the box is the ability to have different authentication mechanisms for internal and external users. Internally, when users connect to your federation server on the corporate network to obtain a token, you can rely on Windows Integrated Authentication (Kerberos and NTLM) to pass the user through to ADFS without any additional prompts. Externally, however, your users may be using their home PCs or connecting at a coffee shop, for example. In this case, you will likely want to present a friendly HTML form to authenticate the user.

Federation server proxies also insulate external clients from the relatively sensitive data on the federation server—the private keys that are used to sign tokens. This provides a level of security that many organizations appreciate.

Some organizations opt to use a reverse proxy other than the federation server proxy to publish their ADFS servers, and others opt to publish their federation servers directly on the Internet. Microsoft recommends the use of federation server proxies throughout its documentation, and we’ll show you how to deploy them later in this chapter.

There are a number of different topologies for deploying ADFS, ranging from small and simple to large, complex, and highly redundant. We’ll look at a few common options so that you’re familiar with them and then move on with a walk-through of a relatively simple deployment that we’ll use for the rest of this discussion.

As you review the designs we present in this section, think about your environment’s requirements for scalability and, more importantly, high availability. As you begin federating with services hosted by third parties, your environment (in this case, ADFS) will still be critical to maintain access to those applications and services. If your ADFS environment is down, your users will not be able to access the cloud solution.

This is a trap that many organizations fall into as they briefly rejoice in the thought that they will not need to deliver high service levels for services that they outsource. While you will no longer be on the hook for maintaining the outsourced services, you will instead be on the hook for ensuring high availability for your ADFS environment, which governs access to the hosted service.

Single federation server and federation proxy

In this scenario two servers are be required, as shown in Figure 21-3. One server functions as the federation server and host of the configuration database, and the other server functions as the federation server proxy and publishes ADFS to the Internet.

Figure 21-3. No high-availability deployment scenario

This topology is perfectly suitable for an organization that needs to federate with one or more partners and applications but does not have a need for redundancy at the server level. ADFS’s architecture makes it relatively easy to scale out this topology later to support multiple federation servers and federation server proxies.

Note

You could optionally deploy the configuration database on a standalone SQL server, but unless you have a need for SAML artifact resolution or token replay detection, it is unlikely that this will be necessary.

Load-balanced ADFS servers

As soon as you want to achieve any redundancy with ADFS, you’ll need to bring load balancing into the mix. This will likely require that you work closely with your colleagues on the network team to complete your deployment. As load balancing configurations go, the configuration for ADFS is quite simple. You will simply need to configure Layer 4 load balancing of TCP ports 80 and 443. There is no need for server affinity or SSL offloading unless you have a specific need outside of the basics. You will, however, want to configure appropriate server health monitoring on the load balancer.

Note

While it is possible to use the Windows Network Load Balancing (NLB) service that comes with Windows in lieu of a hardware load balancer, we strongly recommend that you elect to use a hardware load balancer instead.

Figure 21-4 shows a standard topology with load balancers in the mix. In this case, we have a pair of federation server proxies that are load balanced, and those proxies are connecting to a set of federation servers that are independently load balanced. We’ve opted to continue using the Windows Internal Database for configuration storage here. You could, however, deploy the database on a SQL Server cluster if necessary to support the scale of your deployment or because of a need for features such as SAML artifact resolution or token replay detection. As your requirements grow, you can easily add additional federation servers and federation server proxies behind the load balancers.

Figure 21-4. Load-balanced topology with WID

Note

While the diagram shows separate load balancers, depending on your network topology, you may simply need to configure two virtual IPs (VIPs) on one load balancer. Work with your network team to determine the best architecture.

Geographically redundant ADFS servers

The last and most complex solution involves placing ADFS servers in multiple datacenters to ensure the highest levels of availability. In this case, you will need to deploy a number of complex technologies to ensure that one DNS name (your ADFS service name) resolves to servers in multiple datacenters worldwide, and that users are directed to the datacenter that is closest to them.

In order to achieve the configuration shown in Figure 21-5, you will need a geographic load balancing service in addition to load balancing in each datacenter. There are various services and products that offer this capability, usually by acting as the DNS server for the services that are behind the global load balancer. One solution we are familiar with is the F5 Global Traffic Manager (GTM). The GTM is just one solution in a crowded market, so you should once again plan to work closely with your network team to determine the best solution.

Figure 21-5. Geographically load-balanced server farms

In addition to the global load balancing solution, you will need to employ SQL Server’s mirroring capabilities to replicate the configuration database into each datacenter that hosts an ADFS environment.

The first step to an ADFS deployment is deploying the federation server. If you’re running Windows Server 2008 R2, you’ll first need to download and install ADFS.

If you’re running Windows Server 2012, ADFS 2.1 is that the latter is included out of the box as an optional server role. The only difference between ADFS 2.0 and ADFS 2.1 is that the latter includes the ability to send Dynamic Access Control (DAC) claims embedded in your Kerberos ticket as ADFS claims. Regardless of which version of ADFS you’re running, the directions in this chapter stand.

Both the downloadable setup for Windows Server 2008 R2 and the out-of-the-box Windows Server 2012 role setup are smart enough to install ADFS’s prerequisites. Both setup wizards will ask if you’d like to install a federation server or a federation server proxy. You should stick with the default of Federation Server for this step.

Certificates

ADFS requires a number of SSL certificates in order to function. At a minimum, you need to provide a certificate for the FQDN of your federation service (sts.cohovines.com in our case). Make sure the certificate is trusted by the clients that will be accessing the service.

In order to get an SSL certificate, you’ll need to generate a certificate signing request (CSR) and submit the request to a certification authority (CA). There are a number of ways to generate the CSR. We typically use the free utility from DigiCert, a reputable commercial CA with excellent customer service. You can download this utility from https://www.digicert.com/util/ and run it directly on the federation server. The CSR the utility creates can be submitted to any internal or commercial CA.

To create the CSR, launch the utility on your federation server and click Create CSR. Fill in the form as appropriate for your environment. The Common Name field should be the FQDN of your federation service, as shown in Figure 21-6. Once you receive the CSR, you can submit this to your CA.

Figure 21-6. DigiCert CSR creation wizard

When you receive the certificate back from the CA, use the Import button at the bottom of the utility to import the result. When this completes, you should see the certificate with a green checkmark, similar to Figure 21-7. If you are deploying a federation server farm or federation server proxies, you can use the Export button at the bottom of the screen to export the certificate to a PFX (Personal Information Exchange) file and then import it on the other servers.

Figure 21-7. DigiCert certificate

There are two other types of certificates on the federation server—the token signing certificate and the token encryption certificate. When you install a federation server, ADFS will generate self-signed certificates for these purposes. We’ll discuss these in more detail in the section Service configuration.

Configuring ADFS

Once setup completes, you can launch the Active Directory Federation Services MMC snap-in. Inside the console, click the link to launch the AD FS Federation Server Configuration Wizard to get started. Before you proceed, take a moment to review the sidebar “ADFS Configuration Wizard Permissions” to make sure the wizard won’t fail when you get to the end.

ADFS Configuration Wizard Permissions

The configuration wizard will fail if you’re not running as a Domain Admin. This is because the wizard has to publish a key sharing container to the Program Data container in Active Directory.

This container is used for federation servers to securely share private keys, specifically the token signing and token encryption certificates. If you can’t run the configuration wizard as a member of the Domain Admins group, you have a couple of options.

The first option is to have a domain admin run the Set-ADFSCertSharingContainer PowerShell cmdlet in advance. This will create the container in Active Directory and set the permissions for the ADFS service account to manage the container.

The second option is to precreate a container called Microsoft under Program Data, and then inside the Microsoft container create a second container called ADFS. Delegate the user running the ADFS configuration wizard full control of the ADFS container in Active Directory.

Figure 21-8 shows a published key sharing container in Active Directory from a successful ADFS installation. If you have multiple ADFS farms in your domain, you will find multiple ADFS containers.

Figure 21-8. Key sharing container

Note

If you are going to use a SQL Server database for the configuration database in lieu of WID, you’ll need to use a command-line utility to configure ADFS. That utility is called fsconfig.exe and is available in %windir%ADFS.

The first thing you’ll be asked, as shown in Figure 21-9, is whether you want to deploy a new federation service or join an existing farm. Select the option “Create a new Federation Service.”

Figure 21-9. Create or join a federation service

Next you’ll be given the option to create a new federation server farm or to install a standalone server, as Figure 21-10 shows. Even if you don’t plan to add additional federation servers, we recommend that you opt to create a one-server farm.

Warning

There is no transition path available to move from a standalone server to a federation server farm later.

Figure 21-10. Create a standalone server or server farm

ADFS also requires a service account in order to run in a farm environment. This service account should be a normal Active Directory user account, with the exception that it should have the service principal names (SPNs) for the federation service listed on it. These are generally similar to http/sts and http/sts.cohovines.com.

The configuration wizard will prompt you to choose an SSL certificate to assign to the Internet Information Services (IIS) website that ADFS uses. Be sure to choose the certificate that matches your federation service name, as shown in Figure 21-11. If you need to change this, you can do so easily later in the IIS management console.

Figure 21-11. Federation service name configuration

Finally, the configuration wizard will display a summary of the tasks to be performed for you to review before continuing. Once the wizard finishes, you’ll be provided with a summary of the steps taken and their results, as shown in Figure 21-12.

Figure 21-12. Wizard results summary

Service configuration

Once the wizard finishes, you can return to the ADFS management console. The first thing you’ll want to do is right-click the Service folder and click Edit Federation Server Properties. Here you can configure key details about your ADFS environment that will be published to parties you’re federating with.

On the General tab, you can configure a display name for your service. On the Organization tab, you can publish contact information for your ADFS support team that will be listed in the ADFS server’s federation metadata. Federation metadata is used to automatically configure the bulk of a trust relationship between parties. Finally, on the Events tab, you can adjust the logging and auditing for the service.

Warning

The “Federation Service name” and “Federation Service identifier” values on the General tab must be set during initial configuration. If you change these values after you have deployed ADFS, you may break the trust relationships you have with other parties!

The second configuration item that you should address before you begin federating is the topic of token signing and token encryption certificates. As we discussed earlier in the chapter, every token ADFS issues is signed with the ADFS token signing certificate. The organizations that you trust will keep a copy of the ADFS server’s public key locally so that they can validate each token they receive from your ADFS environment.

The problems that arise here are twofold. First, the token signing and token encryption certificates are self-signed. Self-signed certificates are generated locally on a server and are not issued by a trusted CA. Some federation platforms do not consider tokens signed by a nontrusted (e.g., self-signed) certificate to be valid, even if the signature is cryptographically valid. In these cases, you must either convince the other party to trust your token signing certificate, or use a token signing certificate from a commercial CA.

The second issue is the topic of certificate expiration. Since the parties you have trusts with must keep a copy of your token signing certificate’s public key on hand, they also need a mechanism to update that key when it expires. There is a protocol in place for relying parties to automatically pick up new token signing certificate public keys when they become available, but many federation platforms (and applications) don’t implement this. Consequently, when the certificate expires, the trust relationship will fail and access to the federated application will be impacted.

Since the certificate used for token signing is so important and difficult to change later, we recommend that you obtain a commercially issued token signing certificate that expires as far in the future as possible. It is well worth the added expense of buying a certificate with three (or more) years of validity up front, when you consider the cost of rotating the certificate after a year or two. The subject name on the token signing certificate does not matter at all. We typically append “-signing” to the FQDN used for the service certificate (e.g., sts-signing.cohovines.com). In addition, the CA that you purchase the certificate from must include the Certification Authority Issuer OID in the Authority Information Access (AIA) field of the certificate (see Figure 21-13 for an example). This is an obscure requirement that you’ll need to research with your CA before purchasing the certificate. At the time of publication, we know that DigiCert (mentioned earlier) and Entrust include these fields in their certificates.

Figure 21-13. Certificate details

We’ve mentioned the token encryption certificate but haven’t discussed it thus far. The reason for not discussing it is simple—we don’t recommend that you enable token encryption in any of your trust relationships. The contents of any transaction (including the token) between ADFS and an end user or federated party are already protected via SSL in the browser. When you enable token encryption, the token itself is encrypted using the token encryption certificate. If you need to troubleshoot the interaction between ADFS and another party, token encryption will make it nearly impossible to do so.

Deploying the federation server proxy is extremely easy. Outside of the deployment wizard, it has no real settings to configure. The only steps involved are installing the ADFS server role and choosing “Federation Service Proxy” in the first step (Figure 21-14), and then running the wizard.

Figure 21-14. Add Roles and Features Wizard

As for the federation server role, you’ll need to import a certificate for use with the IIS website that ADFS uses. You can use the DigiCert utility discussed earlier to do this. In fact, you can simply import a copy of the certificate in use on your federation servers: just use the DigiCert utility to export that certificate to a PFX file and then import it on the federation server proxy.

Once you have imported the certificate, launch the Internet Information Services Manager MMC snap-in. Browse to SitesDefault Web Site in the Connections pane on the left. Next, in the Action pane on the right, click Bindings, as shown in Figure 21-15. Click Add, change the Type to “https”, and select your certificate from the SSL certificate drop-down, as shown in Figure 21-16.

Figure 21-15. IIS Manager

Figure 21-16. Add Site Binding dialog

Next, you must configure the hosts file on your federation server proxy to resolve the name of the federation service to your federation server or the load balancer VIP in front of your federation server(s). You can do this by opening the hosts file in %windir%system32driversetc with Notepad from an elevated command prompt.

At the bottom of the file, enter the IP address of your federation server or load balancer VIP, press Tab, and then enter the federation service name (e.g., sts.cohovines.com) on a new line, as shown in Figure 21-17.

Figure 21-17. Editing the hosts file

Once you have completed editing the hosts file, launch the AD FS Federation Server Proxy Configuration Wizard. The wizard will automatically populate your federation service name based on the SSL certificate imported in IIS. Click the Test Connection button shown in Figure 21-18 to ensure that there are no connectivity issues (such as firewalls or name resolution problems) before continuing.

Figure 21-18. The AD FS Federation Server Proxy Configuration Wizard

When you click Next, you will be prompted for administrative credentials to the federation server farm. These are only used to establish the relationship between the proxy and the federation servers. The credentials you enter must have local administrator access to the federation servers. If the credentials are valid, you will be presented with a summary of the steps that will be taken.

Figure 21-19 shows the results of a successful federation proxy server configuration. There are no further steps necessary to complete the initial configuration.

Figure 21-19. Federation proxy configuration results

There are a number of stops that claims pass through on their way to a relying party. For the purpose of this discussion, we’ll assume you are using Active Directory as your sole claims provider. Figure 21-23 shows a diagram of the claims pipeline.

Figure 21-23. The claims pipeline

The claims provider is the where claims enter the pipeline. Claims providers provide claims to ADFS. You use acceptance transform rules to determine what claims from the claims provider are available for consumption by relying party trusts. If you look at the default acceptance transform rules for the Active Directory claims provider trust (Figure 21-24), you’ll notice that the list is quite bare.

Figure 21-24. Acceptance transform rules for Active Directory claims provider trust

Perhaps a bit counterintuitively, all of the attributes of a user aren’t available from the AD claims provider—just some special attributes such as group memberships, SIDs, and authentication info. Specific attributes must be requested from the Active Directory attribute store. We’ll discuss this further shortly.

Once claims have passed through the claims provider’s acceptance transform rules, they are presented to the relying party trust in question. The first step is to make sure that the user is permitted to authenticate to the given relying party. This authorization step happens in the RP’s issuance authorization rules. By default all users are authorized to use an RP, as evidenced by the “Permit Access to All Users” rule shown in Figure 21-25. You can access any of the claims from the claims provider trust, or inject more claims into the pipeline from an attribute store in order to make an authorization decision. ADFS determines whether or not a user is authorized based on the presence of a claim called Permit with a value of true in the pipeline.

Figure 21-25. Issuance authorization rules

Finally, the claims set can be further amended or transformed using the RP trust’s issuance transform rules. The claims that are present at the conclusion of the processing of the issuance transform rules are the claims that are sent to the RP. By default, an RP trust has no issuance transform rules. This effectively means that the RP will receive no claims about the user. Let’s look at how to change this.

There are two key ways you can generate claims to be sent to an RP. The first is via the claims provider trust, and the second is via the RP trust’s issuance transform rules. The advantage of defining your claims set on the claims provider trust is that you can have a central set of claims that are available to all RP trusts. This can reduce the management burden and limit the number of places you need to look when troubleshooting or making global changes.

To edit the claims rules for the Active Directory claims provider trust, browse to AD FSTrust RelationshipsClaims Provider Trusts. Select Active Directory and then click Edit Claim Rules in the task pane on the right. In order to add additional claims in the form of user attributes to the pipeline, click Add Rule.

There are five claims rule templates you can choose from. Here is a brief description of each of these templates:

Now that we’ve discussed the types of rule templates available, let’s make use of them to add a few claims to the pipeline. In the wizard, select the “Send LDAP Attributes as Claims” rule template. Create a rule to send the user’s name and location attributes, as shown in Figure 21-26.

In Figure 21-26, we are sending the user’s first and last name, display name, and city and country attributes as claims. You probably will have noticed by now that the default options in the drop-down lists are missing most attributes. You can simply type in an Active Directory attribute name if you don’t see what you want. If you need to add additional outgoing claim types, you’ll need to create claim descriptions for those attributes. Refer to the sidebar “Creating Claim Descriptions” for more information on how to do this.

Figure 21-26. Send LDAP attributes as claims

Figure 21-27. Add claim description dialog

When you’ve completed the wizard, click Add Rule again. This time, we’ll use the “Send Group Membership as a Claim” template to create a claim for full-time employees. Figure 21-28 shows how you can specify a group and then set the value of a claim if the user is a member of that group.

Figure 21-28. Send a claim based on group membership

Now that we’ve added some claims that will be available to all of our RP trusts, let’s configure the RP trust we created earlier to emit these claims. Find the Federation Demo RP trust in the ADFS management console, and click Edit Claim Rules. On the Issuance Transform Rules tab, click Add Rule.

First, note that the templates that were available earlier when you were editing the claims provider trust claim rules are also available here. If you want, you could perform the same configuration steps we just executed on the RP trust instead. This would have the effect of only making those claims available to this RP. Since we already have the claims we need in the pipeline, we’ll simply pass them through.

Use the “Pass Through or Filter an Incoming Claim” template and configure it to pass through the Given Name claim, as shown in Figure 21-29. Repeat this for each of the other claim types we configured:

Figure 21-29. Passing through the Given Name claim

Once you’re done, your issuance transform rules should look similar to Figure 21-30.

Figure 21-30. Issuance transform rules for RP trust

Figure 21-31 shows the results of the claims rules we just created. The screenshot shows the output from the sample application available at this link. This application simply outputs all of the claims the federation server sends. Once configured, this is a useful tool for testing your ADFS claims rules.

Figure 21-31. Claims sent to demo application

To summarize, in this section we configured our claims provider trust (Active Directory) to add a number of claims to the pipeline for consumption by all of the relying parties in the system. To do this, we first added claim descriptions for each custom claim, and then we used the “Send LDAP Attributes as Claims” template to add attributes of the user to the pipeline and the “Send Group Membership as a Claim” template to add a claim if the user is a member of a particular group. Finally, we added pass-through rules to the issuance transform rules of the RP trust to send the claims to the RP.

When accessing ADFS from outside the corporate network through an ADFS proxy, your users will, by default, log on using the forms-based logon pages. The default experience for these pages is bland and gray. You’ll probably want to work with your Web or Marketing Department to customize these pages to match your corporate brand and be more visually appealing.

Microsoft has a guide for customizing the pages available at microsoft.com. The level of complexity of the modifications you want to make (e.g., changing colors or adding a logo) will dictate whether or not this is a task best given to an ASP.NET developer. All of the files you can customize are located in c:inetpubadfsls on your ADFS servers. Be sure to make a backup copy of the original pages before you begin in case you need to roll back.

If you’d simply like to add a logo, edit the web.config file in c:inetpubadfsls and change the logo setting to the name of a logo file (or just save that file as logo.png). Microsoft recommends that your file be 600 pixels wide and 100 pixels tall for best results.

Attribute stores are used to provide claims from external systems. Out of the box, ADFS supports sourcing attributes from Active Directory, LDAP servers such as AD LDS, and SQL servers. If you need to provide claims from other systems (e.g., an HR system or an Oracle database), you’ll need to develop a custom attribute store to do that.

Developing a custom attribute store requires .NET development skills and is outside the scope of this book. Documentation for getting started is available at microsoft.com. Be sure to test your implementation thoroughly, especially with regard to error handling and performance.

ADFS includes a number of event logs as well as a useful data point called a correlation identifier to assist you in troubleshooting issues. Any time an issue is encountered by a user in the ADFS web application, an error screen similar to Figure 21-33 will pop up. Of particular interest to you as the administrator is the reference number field.

Figure 21-33. Error page with reference number

To review the ADFS logs and correlate them with the reference number shown in Figure 21-33, launch the Event Viewer on your federation server and browse to Applications and Services LogsAD FSAdmin. Next, go to View→Add/Remove Columns. Add the Correlation Id column and reorganize your displayed columns, as shown in Figure 21-34.

Figure 21-34. Add/remove columns from Event Viewer

Note that the reference number shown in Figure 21-33 matches the value in the Correlation Id column for two events. Specifically, the event in Figure 21-35 tells us that there is not a relying party trust configured with the identifier that was sent by the application.

Figure 21-35. Error event with Correlation Id

If the data in the Admin event log isn’t sufficient, you’ll need to enable the trace log for ADFS. To do this, go to View→Show Analytic and Debug Logs. Browse to Applications and Services LogsAD FS TracingDebug and then right-click the Debug log and click Enable Log. Reproduce your error and refresh the view. Figure 21-36 shows a helpful event confirming the diagnosis in Figure 21-35. When you’re done, be sure to right-click the Debug log and click Disable Log.

Figure 21-36. Tracing events in the Debug log

The most important tool for troubleshooting ADFS is a free one called Fiddler. Fiddler is an HTTP proxy that allows you to look at the HTTP traffic in a friendly GUI. If you’ve used Wireshark or Netmon before for network tracing, you can think of Fiddler as an application-layer version of those tools. Get a copy of Fiddler and install it on your workstation. Next, go to this link and install the add-ons for Fiddler that enable you to easily work with HTML, XML, and so forth.

Finally, download the Fiddler federation inspector from this site. This add-on will enable Fiddler to decode WS-Federation and SAML markup. Extract the .zip file and browse to the binDebug folder. Copy Thinktecture.FederationInspector.dll to C:Program Files (x86)Fiddler2Inspectors. or wherever you installed Fiddler on your machine.

In order to look at encrypted ADFS traffic, you’ll need to configure Fiddler to intercept HTTPS traffic. To do this, launch Fiddler and go to Tools→Fiddler Options. On the HTTPS tab, check “Capture HTTPS CONNECTs” and “Decrypt HTTPs traffic.” Next, you will be prompted to generate a certificate for Fiddler to intercept SSL traffic and to configure Windows to trust the certificate, as shown in Figure 21-37. You’ll receive another confirmation to import the certificate and then finally a final confirmation after a User Account Control (UAC) prompt. Answer Yes to all of these prompts.

Figure 21-37. Configuring certificate trust in Fiddler

Once you have completed these steps, browse to a federated application and log in. You’ll see each of the steps in Fiddler that take place, as shown in Figure 21-38.

Figure 21-38. Fiddler trace of access to a federated application

Specifically, in Figure 21-38, the following steps happen (as shown in the “#” column):

Figure 21-39. Fiddler Federation inspector

Figure 21-40. Fiddler Auth inspector

Figure 21-41. Extended Protection settings