If you’re operating within a Microsoft environment, you’ll likely benefit from implementing Single Sign-On (SSO) using Active Directory Federation Services (AD FS). SSO simplifies the login process for users by allowing them to access multiple applications with a single set of credentials, thereby enhancing security and improving productivity. In this tutorial, we’ll walk you through the process of configuring AD FS for SSO.
Configure AD Federation Services for Single Sign On
Prerequisites
- Windows Server: Ensure you’re using a version of Windows Server that supports AD FS. As of the writing of this tutorial, the latest version is Windows Server 2022. Here’s where you can download and install it.
- Active Directory: A working Active Directory domain setup is required. You should also have domain administrator credentials at your disposal.
- SSL Certificate: You’ll need an SSL certificate from a trusted certificate authority. This is required to secure the AD FS communications.
Step 1: Install the AD FS Role
The first step involves installing the AD FS Role on your Windows Server. To do this, follow the steps below:
- Open ‘Server Manager’ and select ‘Add roles and features.’
- Click ‘Next’ until you reach the ‘Select server roles’ page.
- Check ‘Active Directory Federation Services’ and click ‘Next.’
- On the ‘Select features’ page, click ‘Next.’
- On the ‘AD FS’ page, click ‘Next.’
- Confirm the installation selections and click ‘Install.’
- Once the installation is complete, click ‘Close.’
Step 2: Configure the AD FS
- In ‘Server Manager,’ click on the notification flag and select ‘Configure the federation service on this server.’
- The AD FS Configuration wizard will open. Select ‘Create the first federation server in a federation server farm’ and click ‘Next.’
- Specify the SSL certificate you have for the service, choose the Federation Service name (usually the fully qualified domain name (FQDN)), and then specify the Federation Service Display Name. Click ‘Next.’
- Specify the service account with domain admin privileges to manage the AD FS. Click ‘Next.’
- Specify the database type. The Windows Internal Database (WID) is sufficient for small to medium-sized organizations. Click ‘Next.’
- Review your settings. If everything is correct, click ‘Next.’
- The configuration will now start. Once it’s done, click ‘Finish.’
Step 3: Configure Relying Party Trust
Relying Party Trusts help identify partners, applications, and users that request claims. Here’s how you set one up:
- Open the ‘AD FS Management’ console.
- Under ‘Actions,’ click ‘Add Relying Party Trust.’
- The ‘Add Relying Party Trust Wizard’ will appear. Click ‘Start.’
- Select ‘Enter data about the relying party manually’ and click ‘Next.’
- Specify a display name and any notes you want to add. Click ‘Next.’
- Choose ‘AD FS profile’ and click ‘Next.’
- You might need to add a token encryption certificate. If you don’t, just click ‘Next.’
- Check ‘Enable support for the WS-Federation Passive protocol.’ The URL should be the address of your application. Click ‘Next.’
- Add a relying party trust identifier (usually the same URL as above). Click ‘Add,’ then ‘Next.’
- Choose ‘Permit all users to access this relying party’ and click ‘Next.’
- Review your settings, then click ‘Next.’ The trust should now be set up.
Step 4: Adjust Claim Rules
- In the ‘AD FS Management’ console, under ‘Relying Party Trusts,’ select the trust you just created.
- Under ‘Actions,’ click ‘Edit Claim Rules.’
- Click ‘Add Rule.’
- In the wizard, select ‘Send LDAP Attributes as Claims’ and click ‘Next.’
- Provide a name for the rule, select ‘Active Directory’ as the attribute store, and map the LDAP attributes to outgoing claim types as per your requirements. Click ‘Finish.’
- You might need to add more rules depending on your application’s needs.
And that’s it! You’ve successfully configured AD FS for SSO. Remember to test your setup to ensure it works correctly.
Related Articles
 for Single Sign-On (SSO) on Windows Server.){kind=link}