Configure the tenant authentication site to trust AD FS
Applies To: Windows Azure Pack
The next step is to add information about Windows Azure Active Directory Federation Services (AD FS) to the tenant authentication sites. By default, the management portal for tenants uses ASP.NET Membership Provider authentication. You can choose to use the same ASP.NET Membership Provider as a Claims Provider in AD FS. To do this, you must run the Set-MgmtSvcIdentityProviderSettings cmdlet on any machine where the tenant authentication site is installed.
Option 1: Run the Set-MgmtSvcIdentityProviderSettings cmdlet
Ensure that the machine that you configure can access the AD FS web service metadata endpoint. To verify the access, open a browser and go to the same URI that you plan to use for the –MetadataEndpoint parameter. If you can view the .xml file, you can access the federation metadata endpoint.
Run the Set-MgmtSvcIdentityProviderSettings cmdlet on any machine where the authentication site is installed.
Set-MgmtSvcIdentityProviderSettings -Target Membership -MetadataEndpoint https://< fqdn>/FederationMetadata/2007-06/FederationMetadata.xml -DisableCertificateValidation -ConnectionString 'Server=<some server>;User Id=<user with write permissions to all config databases>;Password=<password>;'
The following table shows required information to run the Set- MgmtSvcIdentityProviderSettings cmdlet.
Cmdlet parameter
Required information
-Target
This parameter is used to indicate which component to configure. Possible values: Membership, Windows.
-MetadataEndpoint
The AD FS web service metadata endpoint. Use a valid, accessible, and complete URI, in the following format: https://<AD FS>/FederationMetadata2007-06/FederationMetadata.xml. In the following cmdlets replace $fqdn with an accessible AD FS fully qualified domain name (FQDN).
-ConnectionString
The connection string to the instance of Microsoft SQL Server that hosts the portal and API database.
Option 2: Run a Windows PowerShell script
Ensure that the machine that you configure can access the AD FS web service metadata endpoint. To verify the access, open a browser and go to the same URI that you plan to use for the –MetadataEndpoint parameter. If you can view the .xml file, you can access the federation metadata endpoint.
Instead of using the cmdlet, you can run the following Windows PowerShell script.
$domainName = 'mydomain.com' $adfsPrefix = 'AzurePack-adfs' $dnsName = ($adfsPrefix + "." + $domainName) # Enter Sql Server details here $dbServer = 'AzurePack-sql' $dbUsername = 'sa' $dbPassword = '<SQL_password>' $connectionString = [string]::Format('Data Source={0};User ID={1};Password={2}', $dbServer, $dbUsername, $dbPassword) # Note: Use the \"DisableCertificateValidation\" switch only in test environments. In production environments, all # SSL certificates should be valid. Set-MgmtSvcIdentityProviderSettings -Target Membership ` -MetadataEndpoint https://$dnsName/FederationMetadata/2007-06/FederationMetadata.xml ` -DisableCertificateValidation ` -ConnectionString $connectionString `