18/07/2015 HowtoBuildYourADFSLabonServer2012,Part2:WebSSOAskPremierFieldEngineering(PFE)PlatformsSiteHomeTechNetBlogs

How to Build Your ADFS Lab on Server 2012,

Part2: Web SSO
Tom Moser [MSFT] 23 Dec 2013 1:00 AM 38

MarkandTomhereagain,continuingourseriesonADFS.Inthispost,we'llshowyouhowtousesomesamplecodeto
configureawebapplicationforWebSingleSignOn(WebSSO)withADFS.

What's Web SSO?

WhileFederatedWebSingleSignon(henceforth,SSO)iswhentwoorganizationscreateafederationtrustbetweeneach
otherforthepurposeofsharingapplicationswhilestillusingtheirowncredentials,mostofourcustomersaresettingup
ADFSforusingWebSSO.

WebSSOiswhenaclaimsawarewebapplication,eitheronpremiseoroffpremise,isconfiguredtoenableuserstologin
totheapplicationusingtheirexistingActiveDirectorycredentials.GreatexamplesoftheseareServiceNowforyour
helpdesk,DynamicsCRMOnlineforCRM,oranOffice365SharePointsiteforcollaboration.InatypicalWebSSO
transaction,theenduserwillnavigatedirectlytothewebapplicationandthewebapplicationwilldeterminethatthe
userisnotauthorizedandredirectthemtotheirADFSserver.There,theyauthenticateusingintegratedWindows
authenticationorbytypingintheircredentials.Finally,theygetredirectedbacktotheapplicationwithaSAMLtoken.
TheapplicationwillthenverifytheSAMLtokenandthewebapplicationwillthenload.

ThekeytorememberhereisthattheclaimsawareapplicationnevercommunicateswiththeADFSserverdirectly.The
client'sbrowserhandlestheresponsibilityofauthenticatingagainsttheADFSserverandthenthebrowserreceivesthe
SAMLtoken,whichitsubmitstotheapplication.ThisisthereasonthatWebSSOisdescribedasapassiverequestthe
browserisn'ttrulySSOawarebutisstillcapableofbrokeringthetransaction.

Havingasampleclaimsawarewebsitethatyoucaninstall,thatalsoshowstheclaimsthatarebeingsent,canimmensely
helpinunderstandingWebSSO,howtoconfiguretheADFScomponents,andhowtotroubleshoottheclaimsthatare
beingsent.Onceyouhavethissolidfoundation,onboardingmoreWebSSOapplicationsforyourusersshouldbemuch
easier.

What Do I Need for Web SSO?

Therequirementsareprettysimple.Youneed:

AnADFSServer.Morethanone,loadbalancedandusingaSQLbackendforprod.But,sincethisisallabout
buildingalab,oneisjustfine.Forthepurposesofthisseries,itshouldbeonWindowsServer2012or2012R2.
Anattributestore.ThiswillbeActiveDirectory,SQLServer,oranLDAPprovider.Since99.9%ofyou
(completelyscientificstatistic)willlikelyuseActiveDirectoryDomainServices,we'lltalkaboutthat.Wealso
won'ttalkaboutdeployingAD,sinceyou'reprobablyalreadydonewiththat.
Aclaimsawarewebapplicationthathasbeenconfiguredtopointtoyoursecuritytokenservice.Thisshouldbe
onitsownIISserver.We'llpointoutsomesamplecode,shareasampletestapplication(Disclaimer:Wearen't
developers),anduseMessageAnalyzertohighlighttheauthenticationflow.

Let'sgettoit!

The Lab

Theforestwe'llbeusingiscalledcorp.milt0r.com.TheADFSserviceURLishttps://sts.milt0r.com.Finally,thetest
applicationwillliveonanIISserverathttps://adfstest.corp.milt0r.com.Inchecklistform,you'llneed:

data:text/htmlcharset=utf8,%3Ch3%20class%3D%22postname%22%20style%3D%22fontweight%3A%20normal%3B%20padding%3A%200px%3B%2 1/6
18/07/2015 HowtoBuildYourADFSLabonServer2012,Part2:WebSSOAskPremierFieldEngineering(PFE)PlatformsSiteHomeTechNetBlogs

AworkingDomainController
AworkingADFSmemberserver.AllofourexamplesrefertoADFS2.1onServer2012,butshouldapplyto2.0on
2008R2aswell,withtheexceptionofthescript.(SeeourpreviousarticletogetADFSsetup)
AworkingIISmemberserver,runningWindowsServer2012orWindowsServer2012R2
Aclientmachinethatisjoinedtoyourlabdomain.
TheURLofyourwebapplication
*Optional*AnSSLcertificateforyourwebapplicationfromatrustedCA

The Web Application

WestartedbygrabbingsomesamplecodefromMSDN.Youcanfindthatcodehere.Thenwewereshownsomemuch
nicerlookingcode(ThanksDave)andusedthatinstead.SinceourprimaryfocusinthispostisconfiguringwebSSOfrom
aninfrastructurestandpoint,wearen'tgoingtocoverthecodeitself.Tomakeiteveneasier,weincludedaPowerShell
scriptthatwillsetitallupforyou.Bothareattachedatthebottomofthispost.Makesuretoreadthedisclaimer

Setup Script

Thesetupscriptisgoingtodothefollowing:

Createaselfsignedcertificate
ConfigureIIS(apppool,newsite,HTTPSbinding)
Modifytheapplication'sweb.configfileandfederationmetadatadocumenttocontainyourSTSURLand
applicationURL.

ThescriptrequiresWindowsServer2012or2012R2.ItwillnotworkonWindowsServer2008R2.Beforerunningit,
you'llneedtocollectsomeinformation.Thoseitemsare:

Thefullyqualifieddomainnameofyourtestapp.(ex:MyTestApp.corp.contoso.com)
ThenameofyourADFSserver

Youwillneedtomanuallyperformthefollowing:

RegisteranArecordinyourDNSzoneforthetestapplication
EnsurethePowerShellexecutionpolicyonyourIISserverissettoremotesigned,andyou'verunUnblockFileon
thescript,orsetthepolicytounrestricted.

Onceyou'vegotthat,copytheZIPfilecontentsuptotheIISserver.Unzipthescripttoafolder,andmovetheentire
deployfolderfromthezipfiletoalocationonthesystemdrive.Now,runthescript.Theparametersarepretty
straightforward:

Theparametersareasfollows:

SourcePath:Thisshouldbethepathtothewebsitecodewe'veprovided.Intheexample,wehadcopiedthesite
datafromthezipfiletoc:\temp\deploy.
SiteName:ThiswillbethenameofthetestsiteinIIS,aswellastheapplicationpool
SitePhysicalPath:Thelocationondiskwherethetemplatesitewillbecopied.WeusedC:\sites\adfstest.
ADFSServer:Thehostname/FQDNofyourADFSserver(notthefriendlyname,butactualhostname).
AppFQDN:Thefullqualifieddomainnameofyourtestapplication.ThiswillbesetasabindingonthesiteinIIS.

Thescriptwillinstalleverythingyouneed,includingthenecessaryfeaturesandroles.

Creating the Relying Party Trust

data:text/htmlcharset=utf8,%3Ch3%20class%3D%22postname%22%20style%3D%22fontweight%3A%20normal%3B%20padding%3A%200px%3B%2 2/6
18/07/2015 HowtoBuildYourADFSLabonServer2012,Part2:WebSSOAskPremierFieldEngineering(PFE)PlatformsSiteHomeTechNetBlogs

AtermyoushouldbeveryfamiliarwithinADFSis"RelyingParty."Butwhat'sarelyingparty?Who'srelyingonwhat?
TheRPcanbeacoupleofthings,sosimplysaying"RelyingParty"isvague.RelyingPartycanreferto:

RelyingPartyApplication
Thisistheapplicationorservicethatreliesontheclaimsforauthentication.
Relying Party Trust
TherelyingpartytrustistheconnectionbetweentherelyingpartyapplicationandourADFS
infrastructure.It'swhatweconfigureinADFStomakethewholethingwork.

We'vealreadygotourrelyingpartyapplicationconfigured,thankstothescriptandfilesabove.Next,we'llneedtosetup
therelyingpartytrustbetweentheapplicationandtheADFSserver.Tosetupthetrust,you'llneedthefollowing
information:

Path to the relying party application's federation metadata document.

Or, the UNC path to the federation metadata document. This will be under the test application's site path.

OpenuptheADFSManagementconsoleandrightclickon"RelyingPartyTrusts"then"AddRelyingPartyTrust."

Clickstartinthefirstscreen.Onthe"Welcome"stepiswherewe'llspecifythelocationforthefederationmetadata
document.Here,youshouldbeabletoentertheURLtothemetadatadocument.Ifthecertificateyouusedintheappisn't
trustedbytheADFSserver,andyouusetheImportdataabouttherelyingpartypublishedonlineoronalocal
networkoption,itwillfail.So,ifyouusedourhandyscriptabove,youcaneither1)trusttheselfsignedSSLcertonthe
ADFSserveror2)Usethe2 ndoptionImportdataabouttherelyingpartyfromafile.

Ifyouhadtousethe2 ndoption,itshouldlooksomethinglikethis:

data:text/htmlcharset=utf8,%3Ch3%20class%3D%22postname%22%20style%3D%22fontweight%3A%20normal%3B%20padding%3A%200px%3B%2 3/6
18/07/2015 HowtoBuildYourADFSLabonServer2012,Part2:WebSSOAskPremierFieldEngineering(PFE)PlatformsSiteHomeTechNetBlogs

NoticethatwehadtousetheUNCpathtothefile,insteadoftheURL.Ifthefederationmetadataisn'tpublishedor
available,thisisalsoavalidwaytoconfiguretherelyingpartytrust.

Clicknext.Onthefollowingscreen,enteradescriptivenamefortheapplication,aswellasanynotesonwhythis
particularrelyingpartytrustsexists(processowner,appowner,relatedprocesses,etc).

ClickNext.OntheChooseIssuanceAuthorizationRulesscreen,makesurePermitalluserstoaccesstherelyingpartyis
selected.Ifyoudidn'twantuserstohaveaccess,youcoulddenyallbydefault,thengobackandadd"Allow"rulesafter.
We'llcoverthatlater.

OntheReadytoAddTrustscreen,reviewthesettingsandclickNext.Finally,clickClose.Congratulations,you've
configuredtherelyingpartytrust!Nowlet'stest!

Caveat:IfyourSTSisinadomainthatisNOTinthesamedomainasyourmachine,forexampletheSTSURLinthispost
issts.milt0r.com,buttheclientworkstationisincorp.milt0r.com,you'llneedtoaddsts.milt0r.comtoyourintranetzone
inIEtopermitWindowsAuthentication.Todothat,inIEgotoInternetOptions>Securitytab>LocalIntranet>
ClicktheSitesbutton>Advanced.There,addyourSTSURL(ie,https://sts.milt0r.com)tothelist.ClickOK.

Onyourclientmachine,navigatetoyourapplicationURL.Youshouldseesomethinglikethis:

data:text/htmlcharset=utf8,%3Ch3%20class%3D%22postname%22%20style%3D%22fontweight%3A%20normal%3B%20padding%3A%200px%3B%2 4/6
18/07/2015 HowtoBuildYourADFSLabonServer2012,Part2:WebSSOAskPremierFieldEngineering(PFE)PlatformsSiteHomeTechNetBlogs

Youmightendupwithacertificateerrorifyoudidn'ttrustthecertificate.But,ifyouseethisscreen,you'vesuccessfully
configuredwebsinglesignonbetweenyourapplicationandADFS.Theboxthatsays"IssuedIdentity"iswhereyou'll
seeanyconfiguredclaims.We'llcoverthatmoreinthenextpostinthisseries.

Under the Hood

Now,let'stakealookatwhattheauthenticationflowlookslikeinMessageAnalyzer.

First,weranklistpurgeontheclientmachine,andopenedanInPrivatebrowsersession,justtomakesurewedidn'tuse
anyoldcookies.UsingMessageAnalyzer'swebproxyandNDISproviders,we'reabletoviewtheunencryptedtrafficas
capturedontheclient.NavigatingtotheapplicationURL,theconversationlooksliketheimagebelow.

1)Thebrowserconnectstothewebapplication.Sincewe'reusingpassiveclaims,thewebappprovidesa302redirectto
thebrowser,pointingittotheADFSservice(Frame114)

Ifwedigintotheframedetails,wecanpullouttheentireredirectURL:

2)Inthenextframes,wecanseethebrowserconnecttotheADFSserviceandreceivesa401challenge.

3)HavingpurgedourKerberostickets,weseethefullAS/TGSexchange.In262275,weseetheauthenticationservice
requestsandreplies.In284and288,weseetheticketgrantingservicerequestforourSTShttp/sts.milt0r.com.We've
authenticatedandreceivedaKerberosticket.

data:text/htmlcharset=utf8,%3Ch3%20class%3D%22postname%22%20style%3D%22fontweight%3A%20normal%3B%20padding%3A%200px%3B%2 5/6
18/07/2015 HowtoBuildYourADFSLabonServer2012,Part2:WebSSOAskPremierFieldEngineering(PFE)PlatformsSiteHomeTechNetBlogs

4)WepresenttheservicetickettotheSTSandareauthorized.TheADFSserviceprocessesourrequestand,assumingthe
relyingpartytrustisinplace,knowswhetherornottoissueanyclaimsandwhatthoseclaimsshouldbe.Thesecurity
tokenispackagedupandreturnedintheHTTPreply.

5)Finally,thebrowserprovidestheSAMLtokentotherelyingpartyapplication.Basedonthecontentsofthetoken,the
usermayormaynotbeauthorized.Inourtestapp,wegetareplybackfromtheserverthatcontainsalloftheclaimsin
ourtoken.

WrapUp

WehopethisposttakesyouonestepfurtherintheprocessofgettingyourADFSlabbuiltandconfigured.Atthispointin
theseries,you'vebuiltanADFSserver,installedatestapplicationontheIISserver,andconfiguredarelyingpartytrust
betweenthetestapplicationandtheADFSservice.Inthenextfewpostsintheserieswe'llcoverfederatingbetweentwo
organizations,claimrules,andmore.Staytuned!

AhugethankstoDaveGregoryforprovidingthemuchnicerthanwebuiltClaimsWebapplicationandsomeinvaluable
feedback.

TomMoser&MarkMorowczynski

@milt0r/@markmorow

data:text/htmlcharset=utf8,%3Ch3%20class%3D%22postname%22%20style%3D%22fontweight%3A%20normal%3B%20padding%3A%200px%3B%2 6/6