Enabling Active Directory Federation Services in IAG SP2

Applies To: Intelligent Application Gateway (IAG)

Active Directory Federation Services (ADFS) is a feature introduced in Windows Server 2003 R2. ADFS provides Web single-sign-on (SSO) technologies to authenticate a user to multiple Web applications over the life of a single online session. ADFS accomplishes this by securely sharing digital identity and entitlement rights, or "claims," across security and enterprise boundaries.

When an organization uses the Active Directory directory service, it currently experiences the benefit of single sign-on functionality through Windows-integrated authentication within the organization's security or enterprise boundaries. ADFS extends this functionality to Internet-facing applications, which enables customers, partners, and suppliers to have a similar, streamlined, Web single sign-on user experience when they access the organization’s Web-based applications. Furthermore, federation servers can be deployed in multiple organizations to facilitate business-to-business (B2B) federated transactions between partner organizations.

For example, ADFS enables employees in company A to be identified by resources in company B for the purpose of getting authorization to perform actions on resources in company B. This setting enables federated users to access both the IAG site and the applications that are enabled through it by using ADFS passive model authentication. To use ADFS with IAG the following topology is required:

• The IAG server must be a domain member, even when IAG is installed in a perimeter network. This is required by the ADFS Web agent that must be installed on the IAG server.

• An Active Directory® repository must be used for authentication.

• ADFS-enabled applications can only be published using HTTPS trunks.

Before configuring applications to use ADFS, create an IAG portal trunk that publishes the applications for which you want to allow ADFS access, and ensure that client endpoint access to the applications is working as expected.  This trunk should be configured to use Active Directory authentication. Then configure ADFS with IAG as follows:

1. Create an Active Directory group that contains users allowed to access ADFS applications.

2. Ensure that you have an ADFS server installed, and add the IAG portal as a Windows NT token-based application in ADFS.

3. Add ADFS functionality to the IAG portal that publishes the applications to which you want to enable ADFS access.

4. Configure an IAG trunk to act as a proxy for the ADFS server. IAG publishes the ADFS server and protects it by inspecting ADFS traffic flowing through IAG to the ADFS server.

5. On the IAG server, install the ADFS Web agent as a Windows component.

6. On the IAG server, configure IIS to support federation.

7. Run the ADFS configuration tool.

To test the configuration, create an entry in the hosts file to resolve the IP address and name of the ADFS server. Verify that members of the Active Directory group can log on to the IAG portal. After verifying that access is working as expected, you can then optionally set up authorization to allow access to specific applications only to the Active Directory group you created. After configuring authorization, verify that client endpoint access is working as expected.

Creating an Active Directory group for ADFS users

Create an Active Directory group as follows:

To create an Active Directory group

1. In the Active Directory Users and Computers console, right-click Users, point to New, and then click Group.

2. Specify a name for the ADFS user group. Set the Group scope to Global and the Group type to Security. Then click OK.

3. In console, right-click the group you created, and then click Properties.

4. Click Add, and add the users to whom you want to grant ADFS access in the portal to the group.

5. Close the Active Directory Users and Computers console.

Installing and configuring the ADFS server

For information about installing an ADFS server, see Checklist: Installing a federation server at Microsoft TechNet. Note the following:

• You must install the federation services component of ADFS. For more information, see Install the Federation Service component of ADFS at Microsoft TechNet.

• IAG must be added to federation services as a Windows NT token-based application.  For more information, see Add a new Windows NT token-based application to the Federation Service at Microsoft TechNet.

• The Active Directory group you created should be added as an organizational claim in federation services.

Enabling a portal trunk for ADFS

The portal trunk should be configured to authenticate using the Active Directory server that contains the group account to which you want to allow access to ADFS applications. The user is not authenticating to IAG but to ADFS. After authentication, IAG retrieves the user/group identity from the NT-token issued by the ADFS Web agent. Note that even when the published application uses a claim-aware based authentication method, IAG should still use NT-token. The retrieved user/group is set as IAG session "lead user" and if application authorization is enabled it is set accordingly. The trunk login pages should be configured to ADFS/login.asp. Configure the portal trunk as follows:

To configure the portal trunk

1. In the IAG Configuration console, select the required portal trunk.

2. Next to Advanced Trunk Configuration, click Configure. Then click the Authentication tab.

3. In Select Authentication Servers, click Add.

4. In Type, select Active Directory. In Name, specify "ADFS", and specify the server name or IP address of the Active Directory server. Specify an administrator password for the ADFS server if one is required.

5. In Select Authentication Servers, select AD, and then click Remove.

6. In the Authentication tab, perform the following steps, and then click OK:

   In the Login Page box, type ADFS/login.asp.

   In the On-the-Fly Login Page box, type ADFS/login.asp.

   In the Logoff URL box, type /InternalSite/ADFS/LogoffMsg.asp.

   In the Logoff Message box, type /InternalSite/ADFS/LogoffMsg.asp.

   Clear the Enable Users to Add Credentials On-the-Fly check box.

   Clear the Enable Users to Manage Their Credentials check box.

1. Close the Advanced Trunk Configuration dialog box.

2. On the portal properties page, double-click Whale Portal in the Applications list. This is a default application.

3. On the Application Properties dialog box, click the Web Servers tab, and then in the HTTPS Ports box, enter Auto.

4. On the Application Properties dialog box, click the Portal Links tab, and then in the Application URL box, change the URL from HTTP to HTTPS.

5. Click OK. You are prompted to confirm this action. Click OK again.

6. Repeat for all applications you want to enable for ADFS.

Configuring an ADFS proxy replacement trunk

IAG acts as a proxy to publish ADFS, and inspects traffic going to the ADFS server. Create a trunk for access to the Federation Server. The external IP address of the trunk is the Federation Service Proxy (FSP) address of each published application. The trunk should be configured manually to work without authentication. Note that internal users should not make requests through the IAG server, but directly to the Federation Server. IAG also handles internal to external name translation, protecting the identity of the ADFS server. Create the trunk as follows:

To create a proxy trunk

1. In the IAG Configuration console, in the List section, right-click HTTPS Connections, and then select New Trunk.

2. Complete the Create New Trunk Wizard. For details, click Help.

3. On the Select Trunk Type page, select Webmail Trunk, and then click Next.

4. On the Webmail Application page, select the AD Federation Server check box, and then click Next.

5. On the Setting the Trunk page, enter the parameters as required, and then click Next.

6. On the Authentication page, select the AD server (ADFS) that you created in the portal trunk configuration, and then click Next.

7. On the Certificate page, in the Server Certificate drop-down list, select a certificate, and then click Next.

8. On the Application Server page, in the IP Address box, type the IP address of the federation server.

9. In the HTTP Port box, type the federation server listener port (the default is 443), and then select the Is SSL check box.

10. Follow all of the consecutive steps until you complete the wizard, and then click Finish. The new trunk that you created appears in the List section, and the Configuration section displays the trunk’s parameters.

11. In the Configuration section, next to Advanced Trunk Configuration, click Configure.

12. On the Authentication tab, clear the Authenticate User on Session Login check box.

13. On the Server Name Translation tab, in Virtual Web Server, specify the external name of the federation server. In Application Server, specify the internal server name. If you use an external host name that is not the internal server name, ensure that the external name can be resolved in DNS.

14. On the toolbar of the IAG Configuration console, click Activate configuration. In the Activate Configuration dialog box, click Activate.

Installing the Web agent

Install the ADFS Web agent as follows:

To install the ADFS Web agent

1. On the IAG Server, open Add/Remove Windows Components in the Control Panel.

2. Select Active Directory Services, and then click Details.

3. Select Active Directory Federation Services (ADFS) and then click Details.

4. Click to enable the ADFS Web Agents check box, and run the wizard to add the component. You will be prompted to provide .dll files during component Setup. Access those files in the Windows\Cmpnents\R2 folder.

5. Ensure that the ADFS Web agent can communicate with the ADFS server.

Running the ADFS configuration script

The purpose of the ADFS configuration script is to prepare IAG to work with ADFS.  The script also prepares a configuration file used when publishing ADFS-enabled applications. The script must be rerun each time you publish an ADFS-enabled application. IAG SP2 provides some enhancements to the script. Run the script as follows:

To run the ADFS configuration script

1. Open the folder: \Whale-Com\e-Gap\Utils\ADFS.

2. In the ADFS folder, double-click ADFSConfTool.vbs to run the tool.

3. After the script runs, you are prompted to enter the external IP address of the ADFS portal trunk and a port number. Ensure that the process completes successfully.

4. On the toolbar of the IAG Configuration console, click the Activate configuration icon. In the Activate Configuration window, select Apply changes made to external configuration settings check box, and then click Activate.

Configuring IIS to support federation

The certificate used to create the HTTPS connection must be configured on the default IIS Web site. If it is not the ADFS configuration script will not succeed. Apply a certificate on the default Web site as follows:

To configure the server certificate in IIS

1. On the IAG server, click Start, and then click Run.

2. On the Run dialog box, in the Open box, type inetmgr, and then click OK.

3. In the IIS Manager program, in the navigation tree, under Web Sites, right-click Default Web Site, and then click Properties.

4. On the Properties dialog box, click the Directory Security tab.

5. On the Directory Security tab, in the Server Communication section, click Server Certificate.

6. Follow the instructions in the Web Server Certificate Wizard.

Configure IIS to support ADFS as follows:

To configure IIS and the ADFS Web Agent

1. On the IAG server, click Start, and then click Run.

2. On the Run dialog box, in the Open box, type inetmgr, and then click OK.

3. In the navigation tree, double-click the computer, right-click Web Sites, and then click Properties.

4. On the ADFS Web Agent tab, in the Federation Service URL field, type the following: https://<Federation-server_URL>/adfs/fs/federationserverservice.asmx. Then click OK.

1. Double-click Web Sites and then right-click Default Web Site. Click InternalSite, click ADFS, and then click Properties.

2. On the ADFS Web Agent tab, select the Enable Active Directory Federation Services Web Agent check box. In the Cookie Path field, type /. Ensure that the Cookie Domain field is empty. In the Return URL field, type: https://<IAG_External_URL>/. Then click OK.