locked
rookie tutorial for ADFS please RRS feed

  • Question

  • Hi guys.

    We are on a mission where we need to deploy ADFS in our environment.

    Are they any really rookie step-by-step tutorials for achieving that please?

    As far as I understand ADFS is "light domain controller in DMZ". The stress is on " ".

    With best regards


    bostjanc

    Wednesday, October 19, 2016 5:40 PM

Answers

  • Hiya,

    That depends.

    Logically ADFS consists of two roles.

    1: an ADFS server, which performs the operations, relays requests, is connected to the AD and so forth. Is typically located on the LAN.

    2: an ADFS proxy server, which relays requests, is not part of the domain. Is typically located in the DMZ, with limited port access to ADFS server only.

    With Server 2012 R2, the roles are named as "ADFS server" and "Web Application Proxy".

    These roles handles all the communication, externally and internally.

    When internal users connects to your application, which is connected to ADFS, they are redirected to the ADFS server directly (and not the proxy server, because there is no need to send them outside). When external users connects, they are redirected to the Proxy, which then relays to ADFS server.

    • Edited by Jesper Arnecke Thursday, October 20, 2016 11:53 AM
    • Marked as answer by B_C_R Monday, October 24, 2016 10:10 AM
    Thursday, October 20, 2016 11:51 AM

All replies

  • Hi, 

    Sure you can get lot more articles in tech net,but was not able to get one on fastrack

     i have a suggestion about going with Azure ADconnect , as its a Gui based Tool which will install ADFS in parallal and also helps you sync your AD with Azure. 

    Sharing one from Technet for ADFS built

    https://blogs.technet.microsoft.com/rmilne/2014/04/28/how-to-install-adfs-2012-r2-for-office-365/


    Linus || Please mark posts as answers/helpful if it answers your question.


    • Edited by Liinus Thursday, October 20, 2016 8:58 AM
    Thursday, October 20, 2016 8:53 AM
  • Thanks for the reply.

    The idea is to put on-premises ADFS.
    We are thinking about implementing it with WIN SRV 2016 (I have read it's easier to deploy ADFS on 2016 then 2012 R2).
    Just for the clarification (if you perhaps know?), you neeed one server in LAN and one server in DMZ, right?

    with best regards


    bostjanc

    Thursday, October 20, 2016 10:50 AM
  • Hiya,

    ADFS has nothing to do with a domain controller. Because it does not hold any identity objects(Users). These are still located in your AD. What ADFS does, is give you an authentication gateway, that extends beyond normal Active Directory boundaries.

    Using ADFS you can authenticate your local AD identities(users), against foreign domain resources(applications) and your local domain resources(applications) can use foreign domain identities(users).

    The short technical explanation is:

    ADFS creates a authentication ticket, a claim, which can be used wherever it's allowed to be used, across domain boundaries.

    a claim basically contains identity information. Username, SAMAccountname, Role whatever you want this claim to contain. 

    By using claims, you can now share identity information across (domain) boundaries, while you still perform the actual authentication of the identity against your own domain (ADFS).

    Per default, ADFS does not hold any "master data", but only relays, enriches, transforms or converts from a set of rules.

    From a technical infrastructure perspective it would logically look like this:

    https://jesperarnecke.wordpress.com/2014/03/28/identity-federation-infrastructure-overview/

    Thursday, October 20, 2016 10:54 AM
  • Jesper thank you for your reply.
    basically one ADFS in LAN connects to AD and the other ADFS (federated server in DMZ) connects to ADFS in LAN?


    bostjanc

    Thursday, October 20, 2016 11:15 AM
  • Hiya,

    That depends.

    Logically ADFS consists of two roles.

    1: an ADFS server, which performs the operations, relays requests, is connected to the AD and so forth. Is typically located on the LAN.

    2: an ADFS proxy server, which relays requests, is not part of the domain. Is typically located in the DMZ, with limited port access to ADFS server only.

    With Server 2012 R2, the roles are named as "ADFS server" and "Web Application Proxy".

    These roles handles all the communication, externally and internally.

    When internal users connects to your application, which is connected to ADFS, they are redirected to the ADFS server directly (and not the proxy server, because there is no need to send them outside). When external users connects, they are redirected to the Proxy, which then relays to ADFS server.

    • Edited by Jesper Arnecke Thursday, October 20, 2016 11:53 AM
    • Marked as answer by B_C_R Monday, October 24, 2016 10:10 AM
    Thursday, October 20, 2016 11:51 AM
  • thanks for the clarification

    bostjanc

    Monday, October 24, 2016 10:09 AM
  • ADFS deployments onto Windows Server 2012 R2 (ADFS 3.0) and onto Windows Server 2016 (ADFS 4.0) are largely identical and quite simple. ADFS deployments onto Windows server 2012 (non-R2) or older are less enjoyable.

    I'd certainly suggest deploying onto Windows server 2016 as there are improvements,  and your ADFS server will have a longer "shelf-life" before needing to be upgraded again, but I wouldn't describe it as a difficult deployment on either 2012r2 or 2016

    Tuesday, October 25, 2016 7:27 PM