ADFS 2.0 Install

* ADFS is a component in Windows Server 2003 R2 which comes with ADFS 1.1. ADFS 2.0 is a downloadable update.
* Tightly integrated with AD:
– retrieves user attributes from AD
– authenticates users against AD
– uses Windows Integrated Authentication (WIA)
* Works with both AD and ADAM (AD application mode, aka AD LDS)
* Provides web SSO by securely sharing digital identity and entitlement rights, or Claims, across security and enterprise boundaries
– can translate terms that are used in the organization into claims
– create, secure and verify claims that move between organizations
– audit and monitor activity between organizations and departments
* Works with both Windows Internal Database (WID) ans SQL Server
– SQL Server support SAML artifact resolution and token replay detection

* Supports both active (WS-Trust) and passive (WS-Fed and SAML 2.0) scenarios.
* Federation and Web SSO
– extends Windows integrated authentication to internet facing applications
– federation servers can be deployed in multiple organizations to facilitate B2B federated transactions
* WS-* interoperability
– supports WS-Federation
* Extensible architecture, supports:
– SAML token type
– Kerberos authentication
– can also perform claim mapping

* Prepare a Windows 2008R2 box and join it into a target domain, e.g. mytest.local
* Download ADFS 2.0 RTW (release to web) from Microsoft Download Center, e.g. RTW\W2K8R2\amd64\AdfsSetup.exe
* Double click AdfsSetup.exe to start Setup Wizard
* Select Sever Role: Federation server

* Click Next on Install Prerequisite Software screen

* Finish

* See this post to generate a web server certificate to be used for ADFS.
* Note that certificate common name needs to be a long name, i.e. with domain name. For example, adfs01.mytest.local.

* Open Start > Admin Tools > ADFS 2.0 Management
* Click AD FS 2.0 Federation Server Configuration Wizard
* Select Create a new Federation Service

* Select Stand-alone federation server

* Specify Federation Service Name

* Ready to apply settings

* Done.

* Create a new IIS certificate following this post.
* Open a command window and run iisreset

* From AD FS Management console, set Service Communications Certificate to the renewed IIS certificate:

* Open a PowerShell command window and run following command:

Add-PSSnapin Microsoft.Adfs.PowerShell
Update-ADFSCertificate -Urgent

* Open ADFS 2.0 management console and refresh the AD FS 2.0 > Service > Certificates folder.

* Restart ADFS 2.0 service.

* Follow previous Export ADFS Token Signing Cert section to export the token signing certificate.
* Import exported token signing certificate into JBoss trust store

keytool -delete -alias adfs01-sign -keystore jboss01_adfs_sign.jks -storepass Welcome1
keytool -import -v -keystore jboss01_adfs_sign.jks -alias adfs01-sign -storepass Welcome1 -file adfs2_tokenSigning.cer

* Restart JBoss

service jboss restart

* Download Windows6.1-KB2790338-v2-x64
* Double click to install
* Restart computer
* Don’t forget to run this power script:
C:\program files\active directory federation services 2.0\SQL\PostReleaseSchemaChanges.ps1
– Otherwise you might get “the signing certificate of the relying party trust is not unique” error message when you try to add two relying parties that have same signing key.
– See this discussion for details

* Add the entry below to Microsoft.IdentityServer.Servicehost.exe.config file, located in the ADFS 2 install directory (default C:\Program Files\Active Directory Federation Services 2.0):

  <runtime>
    <generatePublisherEvidence enabled="false"/>
  </runtime>

* See here for details

* ADFS Overview
* AD FS 2.0 Content Map
* Install the AD FS 2.0 Software