Rough Guide to ADFS Setup
So you want to ADFS? My condolences. Perhaps this crib sheet will help you. It was produced using Windows 2012 Server + ADFS 2.1 and should be largely relevant for later versions, too.
Start by booting an instance of Windows Server 2012 Core in your favorite cloud provider; ensure that RDP port 3389 and TLS port 443 are both open on the server.
Once the server is available, recover the initial Administrator password and RDP into it.
Create a Windows Domain
- Open Server Manager and add the role
Active Directory Domain Services
- Keep hitting
Next
and accept all default selections - Monitor the installation using the little flag icon in the toolbar. Reboot may be required.
- Quit and restart Server Manager.
AD DS
is now in the nav bar; click it. - Click the
More...
link under theConfiguration required
message. - On the resulting popup:
a.
Promote this server to a domain controller
b.Add a new forest
c. Choose a unique (not necessarily real) root domain name e.g.domain.example.com
d. Choose a Restore Mode password e. Choose defaults for everything else; hitInstall
- Wait for install to finish & the inevitable reboot to happen
Buy or create an x509 certificate
You will need a certificate that ADFS can use for SAML signing and encryption. You have two choices:
- Buy a legitimate certificate from a retail CA.
- Generate a self-signed certificate using IIS.
If you buy a certficate, your ADFS will be usable from any browser of any machine. If create a self-signed cert, you will need to fiddle with browsers in order to get them to connect to your server.
If you decide to spend the money on a real certificate, make sure that you choose a hostname that you will actually be able to bind to your Windows server, e.g. that you have DNS control over the domain and can create a CNAME or A record.
Use IIS to Create a Self-Signed Certificate
- Open Server Manager; choose IIS
- Right-click this server; choose
IIS Manager
from the popup menu - In the left nav, choose this server; double click
Server Certificates
in the list view. - Right-click the certificate list; choose
Create Self-Signed Certificate
- Input certificate metadata
a. Common Name: apparent DNS hostname of your server (even if fake, e.g.
domain.example.com
) b. Everything else .. doesn't matter, type anything - Certificate store:
Personal
Install ADFS
- Open Server Manager and add the role
Active Directory Federation Service
- Keep hitting
Next
and accept all default selections for: a. TheFeatures
list (not related to roles) b.Web Server Role
(auto selected due to ADFS) c.AD FS
(default options are OK) - Click the
Install
button - Monitor the installation; reboot when/if requested
Configure ADFS
- Open Start Menu (e.g.
Ctrl+Esc
). ChooseAD FS Management
. - Choose
AD FS Federation Server Configuration Wizard
- Create a new Federation Service
- Stand-alone Federation Server
- For SSL Certificate, choose the self-signed certificate you made via IIS
- Wait for the various maintenance stuff to complete
At this point, ADFS will begin complaining that setup is incomplete because you have no Relying Party trust. Ignore this message for now; you will add RP/SP trusts in time.
Configure the Rest of the Internet
Point a DNS record at your new hostname; make sure it matches the common name of the Windows IIS TLS certificate.
Visit the https:// URL of your host with a browser; make sure you can bypass the security warnings if using a self-signed cert.
Now, go do some SAML!
FIN