Configure Active Directory Federation Services for Windows Azure Pack
Applies To: Windows Azure Pack
By default, Windows Azure Pack for Windows Server uses the following authentication.
Service |
Default authentication |
---|---|
Management portal for administrators |
Windows authentication |
Management portal for tenants |
ASP.Net membership provider |
Instead of using these default authentication types, you also have the option to configure Windows Azure Pack to use Windows Azure Active Directory Federation Services (AD FS) for authentication as described in the following steps. This option is requires Windows Server 2012 R2.
If you want to switch back to the default authentication, see Switch back to the default Windows Azure Pack authentication sites
Note
The following information assumes that you do not already have AD FS configured in your environment. If you have AD FS configured, you can skip the first step and proceed directly to Configure AD FS to trust the management portals.
Best practices
Review the following best practices before you configure AD FS.
The format of user groups that are provided by the AD FS installation should match the format that is entered in the UI. The prescribed format for adding AD groups as co-administrators is domain\alias.
The subscription owner should be an individual user and not a group.
It is generally a good practice to use an email address as the unique identifier. Custom Claims generators allow a GUID or other unique identifiers but their use complicates adding co-administrators or adding individual users and should generally be avoided.
By default, AD FS sets a cookie on the client end to track the user’s selection for authentication methods. You can disable this action by running the following AD FS Windows PowerShell cmdlet:
Set-ADFSWebConfig –HRDCookieEnabled $false
For more information about the deployment and maintenance of an AD FS farm, visit the Active Directory Federation Services Overview.