Configure AD FS to trust the management portals

Atualizada: Outubro de 2013

Aplica-se a: Windows Azure Pack for Windows Server

The last step in the configuration of Windows Azure Active Directory Federation Services (AD FS) for Windows Azure Pack is to configure AD FS to trust the portal de gestãos.

  1. Ensure that the machine that you configure can access the AD FS web service metadata endpoint for the portal de gestão para administradores. To verify access, open a browser and go to https://<AdminPortal_endpoint>/FederationMetadata/2007-06/FederationMetadata.xml, where <AdminPortal_endpoint> is the fully qualified domain name (FQDN) for the portal de gestão para administradores. If you can view the .xml file, you can access the federation metadata endpoint.

  2. Ensure that the machine that you configure can access the AD FS web service metadata endpoint for the portal de gestão para inquilinos. To verify access, open a browser and go to https://<TenantPortal_endpoint>/FederationMetadata/2007-06/FederationMetadata.xml, where <TenantPortal_endpoint> is the FQDN for the portal de gestão para inquilinos. If you can view the .xml file, you can access the federation metadata endpoint.

  3. OPTIONAL. If you want to use the ASP.NET Membership Provider as the default Claims Provider for the portal de gestão para inquilinos in AD FS, ensure that the machine that you configure can access the AD FS web service metadata endpoint for the Tenant Authentication Site. To verify access, open a browser and go to https://<TenantAuth_endpoint>/FederationMetadata/2007-06/FederationMetadata.xml, where <TenantAuth_endpoint> is the FQDN for the Tenant Authentication Site. If you can view the .xml file, you can access the federation metadata endpoint.

  4. Locate the configure-adfs.ps1 configuration script that is installed with Windows Azure Pack in C:\Program Files\Management Service\MgmtSvc-PowerShellAPI\Samples\Authentication\.

  5. Run the configure-adfs.ps1 script on the machine where AD FS is installed.

    $tenantSite = 'tenant-AzurePack.contoso.com:30081'
    $adminSite = 'admin-AzurePack.contoso.com:30091'
    $authSite = 'auth-AzurePack.contoso.com:30071'
    
    # Note: Use the "allowSelfSignCertificates" switch only in test environments. In production environments, all 
    # SSL certificates should be valid.
    & "C:\Program Files\Management Service\MgmtSvc-PowerShellAPI\Samples\configure-adfs.ps1" `
    –identityProviderMetadataEndpoint "https://$authSite/federationmetadata/2007-06/federationmetadata.xml" `
    -tenantRelyingPartyMetadataEndpoint  "https://$tenantSite/federationmetadata/2007-06/federationmetadata.xml" `
    -adminRelyingPartyMetadataEndpoint "https://$adminSite/federationmetadata/2007-06/federationmetadata.xml" `
    –allowSelfSignCertificates
    

    Replace <tenantSite> and <adminSite> with the locations for the portal de gestão para inquilinos and the portal de gestão para administradores. If you want to use ASP.NET Membership Provider as the default Claims Provider for the portal de gestão para inquilinos in AD FS, replace <authSite> with the location for the authentication site.

    Supply the following parameter information.

     

    Parameter Required information

    -identityProviderMetadataEndpoint

    OPTIONAL: Endpoint to obtain Federation Metadata for the Tenant Authentication Site. If you do not want to use ASP.NET Membership Provider to provide tenant identities, modify the script to not use this parameter. Also remove the Add-AdfsClaimsProviderTrust cmdlt. This will set up trusts for the portal de gestão para inquilinos and portal de gestão para administradores.

    -tenantRelyingPartyMetadataEndpoint

    Endpoint to obtain Federation Metadata for the portal de gestão para inquilinos.

    -adminRelyingPartyMetadataEndpoint

    Endpoint to obtain Federation Metadata for the portal de gestão para administradores.

Mostrar: