In my last post on August 31st 2017, I have shown you how to install ADFS server role in Windows 2016 Server, today I will write about one of the most discussed and little complex topic in the O365 world, the single sign on with the ADFS Server. Although some people may think it is complex however if you configure it step by step following this article, I don’t think you will find it very complex. If you wanted to know more about Azure Hybrid Identities, please check out my blog on Azure hybrid identities here where I have clearly explained why ADFS is one of the best solution for the single sign on.
If you don’t know much about ADFS and new to the ADFS world here are some information about ADFS.
What is ADFS?
Microsoft Active Directory Federation Services (AD FS) is intended to provide a platform for handling single sign-on with cloud applications outside of the firewall. Active Directory Federation Services (AD FS) simplifies access to systems and applications using a claims-based access (CBA) authorization mechanism to maintain application security. AD FS supports Web single-sign-on (SSO) technologies that help information technology (IT) organizations collaborate across organizational boundaries. AD-FS is a role service in Windows Server 2012 R2 and Windows Server 2016 are available as a ‘free solution’.
In simple words it is a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. It uses a claims-based access control authorization model to maintain application security and implement federated identity.
What is claim based authentication?
Claims-based authentication is the process of authenticating a user based on a set of claims about its identity contained in a trusted token.
ADFS provides the Single Sign On facility which allows user to log in once and get access of all the systems without being prompted to log in again. Some of the features of ADFS 3.0 are as follows:
Automatic authentication: This feature let user’s access corporate applications and resources with a single username and password.
Flexible Authentication Option: ADFS works with SAML and WS-Federation protocol.
Configure your O365 Tenant with on premise ADFS server
This section outlines the project steps in detail that is performed by me to implement the proposed solution:
Prepare the Architecture Diagram.
Open the required Ports between POC infrastructure and O365.
Activate the WhyAzure.in account for Office 365 and get the Office 365 administration account credentials.
Prepare and Deploy the Active Directory Federation server role in Windows 2016 Server.
Verify the domain ownership in GoDaddy Portal.
Add New Users in O365 with custom domain UPN.
Assign O365 License to the new users.
Add DNS records in the GoDaddy portal.
Install Azure AD Connect.
Configure Azure AD Connect.
Start the Directory Sync.
Configure AD Connect with the ADFS Server.
Configure SSL Certificate in Azure AD Connect.
Install Microsoft Azure Active Directory Module for Windows PowerShell.
Set the ADFSContext with the help of PowerShell.
Start the AdSyncCycle.
Test the ADFS based single sign on.
Proposed Architecture Diagram:
An enterprise ready Architecture Solution for using O365 SSO with ADFS server is shown below which is that standard solution and used in most of the enterprises
Fig: Whyazure Production Infrastructure.
However in this post I have not used the ADFS proxy server roles, because most of the places this role is no longer used instead people now a days are using Azure WAP (Azure Web Application Proxy) for the reverse proxy services.
More details on the Azure AD WAP can be found here.
Used Architecture Diagram:
Below you can find the Architecture for this POC
Fig: The Architecture for this POC
(Please note that I have tested this configuration with my Office 365 Enterprise E3 Developer license.)
In the first step to setup SSO with the ADFS server I have added my custom domain to office 365 domain list.
Once it’s added the next step is to click on the start setup button in O365 and
Please note that this is a wizard which will take me to rest of the steps to configure the O365 with ADFS.
Once I click on Start Setup MS will ask me to prove my identity and some of the informations, since my public DNS register is Godaddy so I need to login to the GoDaddy portal.
Once I ran through this wizard MS will add DNS records in the Godaddy portal.
Now in this wizard the next step is to add few user’s in the O365 as you can see below, please note they are cloud users and they are NOT migrated from on premise AD.
Since we have added the users the next step is to add the licenses
I have added the licenses to the two users as you can see below
In the below screen set I can see that the emails were send to respective users mailboxes.
Now the next step is to install the office 365 Apps, however I have ignored this step and click next since I don’t need to install the Office online in our test workstations.
Now the next step is to migrate the email from existing email service provider to O365 however I have decided to not configure that since this is a new lab environment so I don’t need to run that step.
DNS Setup in Godaddy, I can see some of the DNS records added in my Godaddy DNS server
Now this is the end of the wizard and I can find the screen below.
Now I can check the details of the user which I have just created as you can find the below screenshot.
Now login to portal.azure.com verify that your custom domain is verified.
Once I have verified that the next step is to install the Azure AD connect application in ADFS or any other server in the on premise environment.
I have logged into my ADFS server and down loaded the Azure AD Connect, once I have download that I have checked the system configuration and I have made it sure that I have enough resource in my server to install and configure this application.
Since this is not a show stopper so I can jump to the next step.
Now I login to the Azure Portal and I have found that all the on premise users are now synced with the Azure Active Directory as you can see below.
Now the next step is to perform some post synch task like set the MsolADFSContext as you can find in the screenshot below WAI-DC001.whyazure.in is the FQDN of the server where the ADFS role has been installed.
Now the next steps are to perform some additional tasks as you can find below. You need to click on next to complete all these additional tasks.
After some time I can see the list of the synchronized directory
In the next step I have tried to connect to my
In the next step I have to connect to AD FS Server in my environment.
Now I can find the list of the AD FS Server in my POC environment
Now in this step I have to import the SSL certificate which is assigned to my ADFS server.
Now this is the public certificate of the ADFS server and I have imported it in the AD connect application.
Now in the next step it will show the list of servers
Once I click on next after this I can see we are in a position to configure AD Connect
After I have clicked on the configure button, it will show the below screen.
In the next step I need to verify the AD FS Login
I got an error as shown below, I am familiar with this error it means that the Microsoft Azure Active Directory Module for Windows PowerShell has not been installed in this Computer. This is one of pre requisite which necessary and missing in this server.
So I have decided to download the Microsoft Azure Active Directory Module for Windows PowerShell from this below URL
I have tried to login with one of test user account which I have created in on premise AD and now it has been synched to Azure AD and I have assigned office 365 license to this user account. Here is the screenshot.
When I click on Next it has shown this message, taking you to your organization’s sign in page.