Tag Archive: ADFS

Two ways to integrate/federate applications with Azure AD:

Azure marketplace:


check if the application exists:

The Microsoft Azure Marketplace is an online store that offers applications and services either built on or designed to integrate with Microsoft’s Azure public cloud.

Else, how to configure single sign-on to applications that are not in the Azure Active Directory application gallery: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps

Authentication scenarios for Azure AD:


Applications integrated with Azure: the access via https://account.activedirectory.windowsazure.com/applications/default.aspx

Integrating applications with Azure AD: https://docs.microsoft.com/fr-fr/azure/active-directory/develop/active-directory-integrating-applications


Identity hybrid ports and protocols:



Azure app gallery:


If not pre-packaged in Azure marketplace: Any app that supports SAML 2.0 can be integrated directly with an Azure AD tenant using these instructions to add a custom application.

Provide credentials for a test tenant or account with your application that can be used by the Azure AD team to test the integration.

Provide the SAML Sign-On URL, Issuer URL (entity ID), and Reply URL (assertion consumer service) values for your application, as described here. If you typically provide these values as part of a SAML metadata file, then please send that as well.

Provide a brief description of how to configure Azure AD as an identity provider in your application using SAML 2.0. If your application supports configuring Azure AD as an identity provider through a self-service administrative portal, then please ensure the credentials provided above include the ability to set this up.

Configuring single sign-on to applications that are not in the Azure Active Directory application gallery:



Sign On URL (SP-initiated only) – Where the user goes to sign-in to this application. If the application is configured to perform service provider-initiated single sign on, then when a user navigates to this URL, the service provider will do the necessary redirection to Azure AD to authenticate and log on the user in. If this field is populated, then Azure AD will use this URL to launch the application from Office 365 and the Azure AD Access Panel. If this field is ommited, then Azure AD will instead perform identity provider -initiated sign on when the app is launched from Office 365, the Azure AD Access Panel, or from the Azure AD single sign-on URL (copiable from the Dashboard tab).

Issuer URL – The issuer URL should uniquely identify the application for which single sign on is being configured. This is the value that Azure AD sends back to application as the Audience parameter of the SAML token, and the application is expected to validate it. This value also appears as the Entity ID in any SAML metadata provided by the application. Check the application’s SAML documentation for details on what it’s Entity ID or Audience value is. Below is an example of how the Audience URL appears in the SAML token returned to the application

Reply URL – The reply URL is where the application expects to receive the SAML token. This is also referred to as the Assertion Consumer Service (ACS) URL.







Monitoring ADFS and the AAD Connect Sync Engine using AAD connect health:



An introduction to claims:


To test ADFS, create your own test web app:




When you deploy AD FS 2.x out of the box and install in a default setup, it will make use of a Windows Internal Database (WID)

The default setup for the WID database is that the Primary AD FS server has a read/write copy and the Secondary server(s) have a read only copy that is synchronizes from the Primary (up to 5 AD FS servers in a single farm maximum!).

If you need to move the Primary role to another server, for whatever reason, you can move the role with a simple PowerShell command.

Run this PowerShell command on the Secondary AD FS server that you want to make Primary AD FS server.

Set-AdfsSyncProperties -Role PrimaryComputer

This will now move the Primary role to the server where the command was run. If you have two or more Secondary servers in the farm you need to update the other Secondary servers.

Run this PowerShell command on the other Secondary AD FS server(s) so that they now sync with the new AD FS Primary server

Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName <FQDN_ADFS_Primary>

Understanding ADFS and Federation by a example:


Comparing SAML, WS-FED and OAuth: https://blogs.technet.microsoft.com/askpfeplat/2014/11/02/adfs-deep-dive-comparing-ws-fed-saml-and-oauth/

ADFS 2.0:

If you need to configure ADFS v. 2.0 for use in Claims-based authentication scenarios, interestingly enough, ADFS v. 2.0 DOES NOT come pre-installed with Windows Server 2008 R2–even after the release of SP1. Therefore, you will not be able to install ADFS as part of the Server Roles that come with Server Manager.  Instead, you will have to separately download the release of ADFS v. 2.0 and install and configure it separately.
You can download the release of ADFS v. 2.0 from here: http://www.microsoft.com/download/en/details.aspx?id=10909
There is also an update rollup for ADFS v. 2.0 available which can be downloaded from here: http://support.microsoft.com/kb/2607496

In addition, this is an excellent article on configuring ADFS v2.0:


and http://www.theidentityguy.com/articles/tag/adfs-v2

Example of implementation with a cloud service: http://support.druva.com/entries/21437659-How-to-install-and-Configure-Active-Directory-Federation-Services-for-Druva-inSync-Cloud-SAML-integr

ADFS design and deployment:





Planning Federation Server Proxy Placement:     http://technet.microsoft.com/en-us/library/dd807130%28WS.10%29.aspx

Certificate Requirements for Federation Server Proxies:       http://technet.microsoft.com/en-us/library/dd807054%28WS.10%29.aspx

AD FS 2.0: How to Replace the SSL, Service Communications, Token-Signing, and Token-Decrypting Certificates:      http://social.technet.microsoft.com/wiki/contents/articles/2554.aspx

Troubleshooting federation server proxy problems with AD FS 2.0:       http://technet.microsoft.com/en-us/library/adfs2-troubleshooting-federation-server-proxy-problems%28WS.10%29.aspx

AD FS 2.0: Guidance for Selecting and Utilizing a Federation Service Name:      http://social.technet.microsoft.com/wiki/contents/articles/4177.aspx

AD FS 2.0 Proxy Management:      http://blogs.msdn.com/b/card/archive/2010/06/02/ad-fs-2-0-proxy-management.aspx

AD FS 2.0 Cmdlets in Windows PowerShell:      http://technet.microsoft.com/en-us/library/ee892329.aspx

Other web resources about ADFS:






A definition in French:

“Les services ADFS sont des services fédérées de gestion des identités (SSO, Single sign-On). A.D.F.Sidentifie, authentifie, et autorise lesutilisateurs à accéder à des extranets, améliore le déploiement AD(Active Directory) sur troispoints :

  • Extranet B2C
  • Fédérations interentreprises (multi-forêts)
  • Fédérations Internet B2B

La fédération des identités permet à deux entreprises et ce de manière sécurisée de partager les informations d’identité d’Active Directory d’un utilisateur, créer une meilleure efficacité opérationnelle. AFDS permet une gestion de fédération par les jetons de sécurité signés via la distribution de clés basés sur les certificats, la définition des types de jeton/claim et de l’espace de noms partagés pour les royaumes de sécurité fédérés. “