Rough Guide to ADFS Setup

Santa Barbara, CA - 

So you want to ADFS? My condolences. Perhaps this crib sheet will help you. It was produced using Windows 2012 Server + ADFS 2.1 and should be largely relevant for later versions, too.

Start by booting an instance of Windows Server 2012 Core in your favorite cloud provider; ensure that RDP port 3389 and TLS port 443 are both open on the server.

Once the server is available, recover the initial Administrator password and RDP into it.

Create a Windows Domain

  1. Open Server Manager and add the role Active Directory Domain Services
  2. Keep hitting Next and accept all default selections
  3. Monitor the installation using the little flag icon in the toolbar. Reboot may be required.
  4. Quit and restart Server Manager. AD DS is now in the nav bar; click it.
  5. Click the More... link under the Configuration required message.
  6. On the resulting popup: a. Promote this server to a domain controller b. Add a new forest c. Choose a unique (not necessarily real) root domain name e.g. d. Choose a Restore Mode password e. Choose defaults for everything else; hit Install
  7. Wait for install to finish & the inevitable reboot to happen

Buy or create an x509 certificate

You will need a certificate that ADFS can use for SAML signing and encryption. You have two choices:

  1. Buy a legitimate certificate from a retail CA.
  2. Generate a self-signed certificate using IIS.

If you buy a certficate, your ADFS will be usable from any browser of any machine. If create a self-signed cert, you will need to fiddle with browsers in order to get them to connect to your server.

If you decide to spend the money on a real certificate, make sure that you choose a hostname that you will actually be able to bind to your Windows server, e.g. that you have DNS control over the domain and can create a CNAME or A record.

Use IIS to Create a Self-Signed Certificate

  1. Open Server Manager; choose IIS
  2. Right-click this server; choose IIS Manager from the popup menu
  3. In the left nav, choose this server; double click Server Certificates in the list view.
  4. Right-click the certificate list; choose Create Self-Signed Certificate
  5. Input certificate metadata a. Common Name: apparent DNS hostname of your server (even if fake, e.g. b. Everything else .. doesn't matter, type anything
  6. Certificate store: Personal

Install ADFS

  1. Open Server Manager and add the role Active Directory Federation Service
  2. Keep hitting Next and accept all default selections for: a. The Features list (not related to roles) b. Web Server Role (auto selected due to ADFS) c. AD FS (default options are OK)
  3. Click the Install button
  4. Monitor the installation; reboot when/if requested

Configure ADFS

  1. Open Start Menu (e.g. Ctrl+Esc). Choose AD FS Management.
  2. Choose AD FS Federation Server Configuration Wizard
  3. Create a new Federation Service
  4. Stand-alone Federation Server
  5. For SSL Certificate, choose the self-signed certificate you made via IIS
  6. Wait for the various maintenance stuff to complete

At this point, ADFS will begin complaining that setup is incomplete because you have no Relying Party trust. Ignore this message for now; you will add RP/SP trusts in time.

Configure the Rest of the Internet

Point a DNS record at your new hostname; make sure it matches the common name of the Windows IIS TLS certificate.

Visit the https:// URL of your host with a browser; make sure you can bypass the security warnings if using a self-signed cert.

Now, go do some SAML!