Jaa


Configure AD FS to trust the management portals

 

Applies To: Windows Azure Pack

The last step in the configuration of Windows Azure Active Directory Federation Services (AD FS) for Windows Azure Pack is to configure AD FS to trust the management portals.

Configure AD FS to trust the management portals

  1. Ensure that the machine that you configure can access the AD FS web service metadata endpoint for the management portal for administrators. To verify access, open a browser and go to https://<AdminPortal_endpoint>/FederationMetadata/2007-06/FederationMetadata.xml, where <AdminPortal_endpoint> is the fully qualified domain name (FQDN) for the management portal for administrators. If you can view the .xml file, you can access the federation metadata endpoint.

  2. Ensure that the machine that you configure can access the AD FS web service metadata endpoint for the management portal for tenants. To verify access, open a browser and go to https://<TenantPortal_endpoint>/FederationMetadata/2007-06/FederationMetadata.xml, where <TenantPortal_endpoint> is the FQDN for the management portal for tenants. If you can view the .xml file, you can access the federation metadata endpoint.

  3. OPTIONAL. If you want to use the ASP.NET Membership Provider as the default Claims Provider for the management portal for tenants in AD FS, ensure that the machine that you configure can access the AD FS web service metadata endpoint for the Tenant Authentication Site. To verify access, open a browser and go to https://<TenantAuth_endpoint>/FederationMetadata/2007-06/FederationMetadata.xml, where <TenantAuth_endpoint> is the FQDN for the Tenant Authentication Site. If you can view the .xml file, you can access the federation metadata endpoint.

  4. Locate the configure-adfs.ps1 configuration script that is installed with Windows Azure Pack in C:\Program Files\Management Service\MgmtSvc-PowerShellAPI\Samples\Authentication\.

  5. Run the configure-adfs.ps1 script on the machine where AD FS is installed.

    $tenantSite = 'tenant-AzurePack.contoso.com:30081'
    $adminSite = 'admin-AzurePack.contoso.com:30091'
    $authSite = 'auth-AzurePack.contoso.com:30071'
    
    # Note: Use the \"allowSelfSignCertificates\" switch only in test environments. In production environments, all 
    # SSL certificates should be valid.
    & "C:\Program Files\Management Service\MgmtSvc-PowerShellAPI\Samples\configure-adfs.ps1" `
    –identityProviderMetadataEndpoint "https://$authSite/federationmetadata/2007-06/federationmetadata.xml" `
    -tenantRelyingPartyMetadataEndpoint  "https://$tenantSite/federationmetadata/2007-06/federationmetadata.xml" `
    -adminRelyingPartyMetadataEndpoint "https://$adminSite/federationmetadata/2007-06/federationmetadata.xml" `
    –allowSelfSignCertificates
    

    Replace <tenantSite> and <adminSite> with the locations for the management portal for tenants and the management portal for administrators. If you want to use ASP.NET Membership Provider as the default Claims Provider for the management portal for tenants in AD FS, replace <authSite> with the location for the authentication site.

    Supply the following parameter information.

    Parameter

    Required information

    -identityProviderMetadataEndpoint

    OPTIONAL: Endpoint to obtain Federation Metadata for the Tenant Authentication Site. If you do not want to use ASP.NET Membership Provider to provide tenant identities, modify the script to not use this parameter. Also remove the Add-AdfsClaimsProviderTrust cmdlt. This will set up trusts for the management portal for tenants and management portal for administrators.

    -tenantRelyingPartyMetadataEndpoint

    Endpoint to obtain Federation Metadata for the management portal for tenants.

    -adminRelyingPartyMetadataEndpoint

    Endpoint to obtain Federation Metadata for the management portal for administrators.