AD FS 2.0 Federation with Microsoft Federation Gateway Step-by-Step Guide

  • Article

Applies To: Active Directory Federation Services (AD FS) 2.0

Overview

You can use your Active Directory® Federation Services (AD FS) 2.0 deployment to provide users in your organization with single-sign-on (SSO) access to online resources through the Microsoft Federation Gateway while the users are logged on with their domain credentials. This guide will walk you through the establishment of a federation trust between an on-premises AD FS 2.0 federation server and the Microsoft Federation Gateway in the cloud.

About AD FS 2.0

You can use AD FS 2.0 with the Windows Server® 2008 or Windows Server 2008 R2 operating system to build a federated identity management solution that extends distributed identification, authentication, and authorization services to Web-based applications across organization and platform boundaries. By deploying AD FS 2.0, you can extend your organization’s existing identity management capabilities to the Internet. You can deploy AD FS 2.0 to:

  • Provide your employees or customers with a Web-based, SSO experience when they need remote access to internally hosted Web sites or services.

  • Provide your employees or customers with a Web-based, SSO experience when they access cross-organizational Web sites or services from within the firewalls of your network.

  • Provide your employees or customers with seamless access to Web-based resources in any federation partner organization on the Internet, without requiring employees or customers to log on more than once.

  • Retain complete control over your employee or customer identities without using other sign-on providers (Windows Live ID, Liberty Alliance, and others).

For information about how to deploy AD FS 2.0, see the AD FS 2.0 Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=148501).

About Microsoft Federation Gateway

Microsoft Federation Gateway is a new identity service that runs in the cloud—that is, over the Internet and beyond your corporate network domain. This gateway service sits between an organization or business like yours and the services that the organization wants to use. The gateway acts as a hub for all the connections that the organization wants to make, whether to a developer application that is built on Windows Azure™ or to a Microsoft application that is running in the cloud. This gateway acts as a hub for connecting users and other identities to the services that it works with, so that an organization has to manage only a single identity-federation relationship to enable its users or other identities to access any and all of the Microsoft and Microsoft-based services that they want to use.

For more information, see Microsoft Federation Gateway (https://go.microsoft.com/fwlink/?LinkID=150843).

Prerequisites

Before you begin to configure AD FS 2.0, you must first acquire the necessary Internet domain name and Secure Sockets Layer (SSL) certificates, verify that you have the necessary Active Directory technologies deployed, and confirm that you have the necessary computers and computer software for setting up and testing a federation server.

Also, determine whether you will evaluate AD FS 2.0 in a test lab environment or deploy it in a production environment. The prerequisites and associated tasks may vary, based on the type of deployment.

After you decide on the type of deployment, review the following table and complete the prerequisite tasks for your deployment.

Prerequisites Production deployment Nonproduction deployment
(test lab) 		   

Internet domain name

No action necessary. Use your organization’s existing Internet domain name.

Purchase and register an Internet domain name through a trusted domain name provider. For example, you can use the Office Live Small Business Web site. (https://go.microsoft.com/fwlink/?LinkId=150847).

Domain proof certificate

Obtain the X.509 SSL certificate that your organization purchased for your existing Internet domain to prove that you own the domain, and import it onto the federation server. This certificate will be used to create a mutual SSL authentication connection. Therefore, it must be usable for client authentication, in addition to any other intended uses.

Purchase an X.509 SSL certificate through a trusted certificate provider (for example, VeriSign (https://go.microsoft.com/fwlink/?LinkId=150932)), and then import it onto the federation server.

For more information about how to import this certificate, see the procedure Import the domain proof certificate onto the federation server later in this guide.

Active Directory Domain Services (AD DS)

No action necessary. Use your organization’s existing AD DS infrastructure.

Configure at least one computer running either Windows Server 2008 or Windows Server 2008 R2, and install AD DS. In addition, create at least one user account in the domain that will be used to test that SSO access is working as expected. For more information about how to set up AD DS and create a user, see the AD DS Deployment Guide (https://go.microsoft.com/fwlink/?LinkID=135996).

            > [!NOTE]
            > Make sure that the Active Directory domain name that you use to create the domain has the same Domain Name System (DNS) name as the DNS name that you used when you purchased the Internet domain name. 
            > <P></P>


            <p>
              
            </p>
          </div>
        </td>
        <td>
          <p>
            
          </p>
        </td>
        <td>
          <p>
            
          </p>
        </td>
      </tr>
      <tr>
        <td>
          <p>Windows Server 2008 or Windows Server 2008 R2</p>
        </td>
        <td colspan="2">
          <p>Configure at least one computer to run Windows Server 2008 or Windows Server 2008 R2. For more information about the requirements for a server running the AD FS 2.0 software, see <a href="https://go.microsoft.com/fwlink/?linkid=192810" runat="server" target="blank">Appendix A: Reviewing AD FS 2.0 Requirements.</a> (https://go.microsoft.com/fwlink/?LinkId=192810) in the AD FS 2.0 Design Guide.</p>
        </td>
        <td>
          <p>
            
          </p>
        </td>
      </tr>
      <tr>
        <td>
          <p>AD FS 2.0 software</p>
        </td>
        <td colspan="2">
          <p>
            <a href="https://go.microsoft.com/fwlink/?linkid=151338" runat="server" target="blank">Download</a>
          </p>
          <p> (https://go.microsoft.com/fwlink/?linkid=151338) and install the AD FS 2.0 software on the Windows Server 2008 or Windows Server 2008 R2 computer. For more information about how to do this, see <a href="https://go.microsoft.com/fwlink/?linkid=192792" runat="server" target="blank">Install the AD FS 2.0 Software</a> (https://go.microsoft.com/fwlink/?LinkId=192792) in the AD FS 2.0 Deployment Guide.After you install this software, use the AD FS 2.0 Federation Server Configuration Wizard to configure the same computer. For more information, see <a href="https://go.microsoft.com/fwlink/?linkid=182177" runat="server" target="blank">Checklist: Setting Up a Federation Server</a> (https://go.microsoft.com/fwlink/?LinkId=182177) in the AD FS 2.0 Deployment Guide.</p>
          <p>
            
          </p>
        </td>
        <td>
          <p>
            
          </p>
        </td>
      </tr>
      <tr>
        <td>
          <p>Federation Utility for Microsoft Federation Gateway software</p>
        </td>
        <td colspan="2">
          <p>
            <a href="https://go.microsoft.com/fwlink/?linkid=191757" runat="server" target="blank">Download the x86 version of the tool</a> (https://go.microsoft.com/fwlink/?LinkId=191757) or <a href="https://go.microsoft.com/fwlink/?linkid=191852" runat="server" target="blank">Download the x64 version of the tool</a> (https://go.microsoft.com/fwlink/?LinkId=191852) and install the Federation Utility for Microsoft Federation Gateway software on a federation server. This prerelease software is required for the creation of the trust relationship between your organization’s federation server and Microsoft Federation Gateway. For more information about how to install this software, see the procedure Establish a trust relationship with Microsoft Federation Gateway later in this guide.</p>
          <div class="alert">

            > [!NOTE]
            > The name of this tool has changed from Microsoft Online Services Federation Utility Technology Preview to Federation Utility for Microsoft Federation Gateway. Therefore, this guide uses the new name throughout. However, the functionality of this tool is not changing; only the name of the tool is changing. Therefore, if the version of the tool that you download uses the old name, it will function without any issues.
            > <P></P>


            <p>
              
            </p>
          </div>
        </td>
        <td>
          <p>
            
          </p>
        </td>
      </tr>
    </table>

After your deployment meets the prerequisite requirements, as specified in this table, complete the following procedures to configure the AD FS 2.0 environment to trust Microsoft Federation Gateway:

  1. Import the domain proof certificate onto the federation server

  2. Establish a trust relationship with Microsoft Federation Gateway

Import the domain proof certificate onto the federation server

So that a federation server can successfully authenticate the requests that users in your organization make, you must first import the domain proof certificate (in the .pfx file format) with its private key into the Personal Store of the local federation server computer. You can use the following procedure on the federation server to import this certificate.

Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To import the domain proof certificate onto the federation server

  1. Click Start, click Run, and then click OK. In the empty console, click File, and then click Add/Remove Snap-in.

  2. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.

  3. In the Certificates snap-in dialog box, click Computer account, click Next, click Finish, and then click OK.

  4. In the open console, double-click Certificates (Local Computer), and then double-click Personal.

  5. Right-click Certificates, click All Tasks, and then click Import.

  6. On the Welcome to the Certificate Import Wizard page, click Next.

  7. On the File to Import page, type the path location to the client authentication certificate, and then click Next.

  8. On the Password page, type the password that is associated with this certificate, and then click Next.

  9. On the Certificate Store page, select Place all certificates in the following store and verify that it is pointed to the Personal store, and then click Next.

  10. On the Completing the Certificate Import Wizard page, click Finish, and then click OK.

Establish a trust relationship with Microsoft Federation Gateway

The Microsoft Federated Identity product team has developed new Federation Utility for Microsoft Federation Gateway software to simplify the process of creating a trust relationship between your organization’s federation server and Microsoft Federation Gateway. Federation Utility for Microsoft Federation Gateway software configures both Microsoft Federation Gateway and your local federation server automatically so that when you complete the configuration you do not have to do anything else. When you use the Federation Utility for Microsoft Federation Gateway software to set up a trust relationship for the first time, the following steps occur in the background:

  1. A federation namespace is reserved for your Internet domain name in Microsoft Federation Gateway.

  2. A Simple Object Access Protocol (SOAP) request is created. For more information, see Quick Start for the Microsoft Federation Gateway (https://go.microsoft.com/fwlink/?LinkId=150848).

  3. The SOAP message is sent to the Microsoft Federation Gateway endpoint URL (https://ppsanamespace.service.passport-int.net/pksecure/ProvisionTrustPK.srf for a test lab environment and https://ppsanamespace.service.passport.net/pksecure/ProvisionTrustPK.srf for a production environment).

  4. A trust is established between your federation server and Microsoft Federation Gateway, which enables the federation server to issue tokens to Microsoft Federation Gateway. This trust is established on the federation server through the importation of federation metadata (also referred to as Security Assertion Markup Language (SAML) metadata) from the Microsoft Federation Gateway Uniform Resource Identifier (URI) (https://nexus.passport-int.com/federationmetadata/2007-06/federationmetadata.xml, for a test lab environment, and https://nexus.passport.com/federationmetadata/2007-06/federationmetadata.xml, for a production environment). That metadata information is used to automatically construct a relying party object for that relationship in the policy of your federation server.

  5. Lastly, the software generates the relevant claim rules on the federation server that are necessary for sourcing and emitting the appropriate claim types with the Microsoft Federation Gateway.

You can use either of the following procedures to establish the trust with Microsoft Federation Gateway by using the Federation Utility for Microsoft Federation Gateway software. When you complete either of these procedures, you successfully establish a trust relationship with the Microsoft Federation Gateway.

Membership in Administrators, or the equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To establish a trust relationship with Microsoft Federation Gateway using the user interface (UI)

  1. After the Federation Utility for Microsoft Federation Gateway software is installed on your federation server, start the software: click Start, click All Programs, click Federation Utility for Microsoft Federation Gateway, and then click Federation Utility for MFG.

  2. Click the Local STS tab. In Proof Certificate, select the domain proof certificate for your Internet domain name (for example, CN=sales.contoso.com, OU=Sales, O=Marketing, L=Seattle, S=WA, C=US), and then click the Windows Live tab.

  3. Click the Windows Live tab, do one of the following, and then click Connect:

    • If you are establishing this trust in a test lab environment, select Microsoft Federation Gateway – Int environment.

    • If you are establishing this trust for a production environment, select Microsoft Federation Gateway.

  4. Click the Federation Trust tab, and then click the Establish Trust button. If the Federation Trust tab turns green, the trust was established successfully.

To establish a trust relationship with Microsoft Federation Gateway using the command line

  1. Open a command prompt window, and navigate to the path where the tool is installed. By default, the software is installed at C:\Program Files\Microsoft\Federation Utility for Microsoft Federation Gateway\.

  2. Type FedUtilMFG.exe /help to learn more about how you can use the command-line version of this tool to set up the trust. For example, to update a trust with the local federation server, use the following command:

    FedUtilMFG.exe /UpdateOrEstablish /UpdateSTS 1 /DomainProofCert 123XYZ /UserIdSource objectGuid