AD FS 2.0 Federation with Microsoft Federation Gateway Step-by-Step Guide
Applies To: Active Directory Federation Services (AD FS) 2.0
Overview
You can use your Active Directory® Federation Services (AD FS) 2.0 deployment to provide users in your organization with single-sign-on (SSO) access to online resources through the Microsoft Federation Gateway while the users are logged on with their domain credentials. This guide will walk you through the establishment of a federation trust between an on-premises AD FS 2.0 federation server and the Microsoft Federation Gateway in the cloud.
About AD FS 2.0
You can use AD FS 2.0 with the Windows Server® 2008 or Windows Server 2008 R2 operating system to build a federated identity management solution that extends distributed identification, authentication, and authorization services to Web-based applications across organization and platform boundaries. By deploying AD FS 2.0, you can extend your organization’s existing identity management capabilities to the Internet. You can deploy AD FS 2.0 to:
Provide your employees or customers with a Web-based, SSO experience when they need remote access to internally hosted Web sites or services.
Provide your employees or customers with a Web-based, SSO experience when they access cross-organizational Web sites or services from within the firewalls of your network.
Provide your employees or customers with seamless access to Web-based resources in any federation partner organization on the Internet, without requiring employees or customers to log on more than once.
Retain complete control over your employee or customer identities without using other sign-on providers (Windows Live ID, Liberty Alliance, and others).
For information about how to deploy AD FS 2.0, see the AD FS 2.0 Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=148501).
About Microsoft Federation Gateway
Microsoft Federation Gateway is a new identity service that runs in the cloud—that is, over the Internet and beyond your corporate network domain. This gateway service sits between an organization or business like yours and the services that the organization wants to use. The gateway acts as a hub for all the connections that the organization wants to make, whether to a developer application that is built on Windows Azure™ or to a Microsoft application that is running in the cloud. This gateway acts as a hub for connecting users and other identities to the services that it works with, so that an organization has to manage only a single identity-federation relationship to enable its users or other identities to access any and all of the Microsoft and Microsoft-based services that they want to use.
For more information, see Microsoft Federation Gateway (https://go.microsoft.com/fwlink/?LinkID=150843).
Prerequisites
Before you begin to configure AD FS 2.0, you must first acquire the necessary Internet domain name and Secure Sockets Layer (SSL) certificates, verify that you have the necessary Active Directory technologies deployed, and confirm that you have the necessary computers and computer software for setting up and testing a federation server.
Also, determine whether you will evaluate AD FS 2.0 in a test lab environment or deploy it in a production environment. The prerequisites and associated tasks may vary, based on the type of deployment.
After you decide on the type of deployment, review the following table and complete the prerequisite tasks for your deployment.
Prerequisites | Production deployment |
Nonproduction deployment (test lab) |
||
---|---|---|---|---|
Internet domain name |
No action necessary. Use your organization’s existing Internet domain name. |
Purchase and register an Internet domain name through a trusted domain name provider. For example, you can use the Office Live Small Business Web site. (https://go.microsoft.com/fwlink/?LinkId=150847). |
|
|
Domain proof certificate |
Obtain the X.509 SSL certificate that your organization purchased for your existing Internet domain to prove that you own the domain, and import it onto the federation server. This certificate will be used to create a mutual SSL authentication connection. Therefore, it must be usable for client authentication, in addition to any other intended uses.
|
Purchase an X.509 SSL certificate through a trusted certificate provider (for example, VeriSign (https://go.microsoft.com/fwlink/?LinkId=150932)), and then import it onto the federation server. For more information about how to import this certificate, see the procedure Import the domain proof certificate onto the federation server later in this guide. |
|
|
Active Directory Domain Services (AD DS) |
No action necessary. Use your organization’s existing AD DS infrastructure. |
Configure at least one computer running either Windows Server 2008 or Windows Server 2008 R2, and install AD DS. In addition, create at least one user account in the domain that will be used to test that SSO access is working as expected. For more information about how to set up AD DS and create a user, see the AD DS Deployment Guide (https://go.microsoft.com/fwlink/?LinkID=135996).
After your deployment meets the prerequisite requirements, as specified in this table, complete the following procedures to configure the AD FS 2.0 environment to trust Microsoft Federation Gateway:
Import the domain proof certificate onto the federation serverSo that a federation server can successfully authenticate the requests that users in your organization make, you must first import the domain proof certificate (in the .pfx file format) with its private key into the Personal Store of the local federation server computer. You can use the following procedure on the federation server to import this certificate. Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477). To import the domain proof certificate onto the federation server
Establish a trust relationship with Microsoft Federation GatewayThe Microsoft Federated Identity product team has developed new Federation Utility for Microsoft Federation Gateway software to simplify the process of creating a trust relationship between your organization’s federation server and Microsoft Federation Gateway. Federation Utility for Microsoft Federation Gateway software configures both Microsoft Federation Gateway and your local federation server automatically so that when you complete the configuration you do not have to do anything else. When you use the Federation Utility for Microsoft Federation Gateway software to set up a trust relationship for the first time, the following steps occur in the background:
You can use either of the following procedures to establish the trust with Microsoft Federation Gateway by using the Federation Utility for Microsoft Federation Gateway software. When you complete either of these procedures, you successfully establish a trust relationship with the Microsoft Federation Gateway. Membership in Administrators, or the equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477). To establish a trust relationship with Microsoft Federation Gateway using the user interface (UI)
To establish a trust relationship with Microsoft Federation Gateway using the command line
Additional resources |