During last year, my team had a lot of Office 365 implementation and migration. Although Office 365 has a lot of services, and we can spend so many time in discussing and explaining their functionalities, I decided to describe and show you how to implement Single Sign On (SSO) for your Office 365 tenant.
This series will have 3 posts:
- Install and configure AD FS
- Install and configure AD FS Proxy (Web App Proxy)
- Configure Office 365 for SSO
Before start, brief description of identities in Office 365.
Cloud Identity – Users are created and managed in Azure Active Directory (AAD)
Directory Synchronization – Users are created and managed in the on-premises directory and get synchronized to Office 365
Federated Identity – Federation relies on directory synchronization so that AAD is populated. When the authentication request is presented to Office 365, the service will then contact the on-premises ADFS infrastructure so that AD is responsible for authenticating the request.
ADFS is the primary choice for users who want to use SSO with Office 365. On this link aka.ms/SSOProviders, you can find lists of identity providers that have been qualified with Office 365.
What you need to know before start
- The ADFS should be deployed within the domain network, NOT in the DMZ
- The ADFS proxy role (WAP) should be installed into the DMZ
- You can use SQL or WID database
- Must have valid SSL certificate issue from public certification provider
- Must have separate service account for ADFS
ADFS installation is pretty simple task, and you don’t need to install any other role or feature to support ADFS. IIS dependency removed in ADFS 2012 R2. (I like to use IIS to create CSR for needed SSL certificate).
Before starting the ADFS configuration:
- SSL certificate must be installed
- Service account must be created
- For configuration wizard, you must have domain admin permissions.
You need to specify account with domain administrator permissions
Select pre-installed SSL certificate, select federation service name and ADFS display name
Select service account for ADFS
Select SQL or WID database for ADFS configuration data
After these steps, ADFS installation and configuration is done, but we need few more steps 🙂
DNS record for the ADFS instance must be created. Create this A record in your internal and external DNS zones.
!!! Very important information regarding DNS !!!
There is no concept of an InternalURL or ExternalURL for the ADFS. Clients will use the same name on the intranet and internet to locate ADFS, so you need to implement split brain DNS.
In my case I will add A record adfs.tech-trainer.info to my public DNS zone. Because my local domain is tech-trainer.local, and must create DNS zone tech-trainer.info and add same A record to local DNS. If I decide to not implement split brain DNS, all authentication queries from intranet will be processed over internet.
Once when you configure everything, you can test ADFS functionality via browser. Just simply type https://adfs.tech-trainer.info/adfs/ls/idpinitiatedsignon.htm in browser (in my case) and try to sign in. If you can sign in, you are ADFS is configured properly.
In next post, I will show you why and how to configure ADFS Proxy (Web Application Proxy).
To be continued …