Embed Size (px)
Citation preview
Setup Guide for AD FS 2.0/2.1 on the Apprenda Platform
Last Updated for Apprenda 6.5.2
The Apprenda Platform leverages Active Directory Federation Services (AD FS) to support identity
federation. AD FS and the Apprenda Platform can then be configured to authenticate against an external
user store (e.g., Active Directory). In Apprenda terminology, AD FS instances that are leveraged and
managed by the Apprenda Platform are called “AD FS nodes”.
For those who may not be familiar with AD FS setup, this guide provides information on configuring AD
FS nodes for use with the Apprenda Platform. Setup information is based on scenarios that have been
configured and tested by the Apprenda Client Services team. Two separate configuration choices are
covered:
A federation server farm (for any environment where HA is a concern or where additional AD FS
nodes may be added at a later time). Note that you can set up a farm with only one server (and
add servers later as needed).
A stand-alone federation server (suitable for lab environments where HA is not a concern;
additional AD FS nodes cannot be added at a later time if this option is selected).
IT professionals familiar with AD FS setup and configuration should feel free to forego this guide and
configure AD FS nodes to meet the basic Apprenda requirements outlined in the Pre-Installation
Checklist while keeping in accordance with the procedures outlined by their own enterprise IT policy.
Contents
Apprenda AD FS Configuration Pre-requisites .............................................................................................. 2
Configuration and Apprenda Installation for an AD FS Federation Server Farm .......................................... 8
Configuration and Apprenda Installation for an AD FS Stand-alone Federation Server ............................ 15
Appendix 1: Configuring the Federation Website in IIS .............................................................................. 18
Appendix 2: Understanding AD FS Trust Relationships .............................................................................. 20
2
APPRENDA AD FS CONFIGURATION PRE-REQUISITES
The following should be performed prior to configuring AD FS and installing the Apprenda Platform.
Apprenda Windows App Server Pre-requisites
AD FS nodes will also act as Apprenda Windows Application Servers, as they host the Apprenda
Windows Host in order to support the Apprenda Federation WCF service. As such, they must meet all
the requirements for Windows Application Servers (including all hardware and software requirements
for Apprenda Platform Windows Servers in general) listed in the Pre-Installation Checklist.
Supported versions of IIS
AD FS 2.0/2.1 depends on IIS; therefore IIS 7 or higher is a prerequisite.
Federation Service and Site Name
Each AD FS node must run AD FS under a service name and must host a website in IIS with a
corresponding site name. For an AD FS farm, the service/website name must be the same across all AD
FS nodes.
The following format is suggested (where “cloudURL” is the root URL that will be used in one of the
clouds on your Apprenda environment): identity.cloudURL. If, for instance, the cloudURL planned for
one of the clouds on your Apprenda environment is “apprenda.fedtest”, the suggested identity service
and site name would be “identity.apprenda.fedtest”. It should be noted that this format, which is used
throughout the examples below, is a suggestion only, and the service name may be formatted according
to your organization’s own naming policies.
DNS Setup
A DNS “A” record entry must be set up that points the identity site name (e.g., identity.cloudURL) to the
AD FS node(s). If you will use more than one AD FS node, a load balancer may be used to distribute
traffic; alternately, a round-robin DNS setup will suffice.
Windows Accounts
Install account
The user account used to install and configure AD FS must be a local administrator on each AD FS node.
If possible, the account should have domain administrator privileges, as this will allow you to
set the SPN for the account/AD FS service through the AD FS configuration commands.
Alternately, a domain administrator can set up the SPN ahead of time.
3
o SPN Setup in domain for the Service Account http://technet.microsoft.com/en-
us/library/dd807078(WS.10).aspx
o Please note that the “host” entry should correspond to the DNS entry that will point to
the identity site (e.g., identity.cloudURL)
AD FS Service account
If installing a federation server farm, you will need a dedicated Service Account under which the AD FS
service will run on all AD FS nodes. You may use a domain user account or, if supported on your domain,
a group Managed Service Account.
The account must be granted the following rights on the AD FS nodes prior to the AD FS configuration
process, as the AD FS service will log on as this account:
“Allow Log on Locally”
“Log on as a Service”
“Log on as a Batch Job”
It is important that you (or your IT department) ensure that Group Policy settings will not disable the
above permission for this account.
If installing a stand-alone federation server (with AD FS 2.0/2.1), you can simply use the AD FS
configuration defaults, which will configure the AD FS service to run as Network Service.
Certificates
AD FS requires a certificate for three different purposes:
SSL certificate (you must provide this)
Token Signing certificate (can be provided by you or generated through AD FS)
Token Decrypting certificate (can be provided by you or generated through AD FS)
SSL and Root Certificates
You will need an SSL certificate in .pfx format where the CN matches the federation service/site name
(e.g., identity.cloudURL) or the CN is a wildcard for the cloudURL of the environment (e.g., *.cloudURL).
Unless it is already installed on the AD FS nodes (as is common practice in some enterprise IT or when
using certificates from a commercial provider), you will also need the root certificate used to issue the
SSL certificate. Once you have obtained the certificate(s), the following must be performed on each AD
FS node:
Open the MMC Certificate Snap-in:
Open MMC (which should be included on all Windows OS).
Under File choose Add/Remove Snap-in.
Select the Certificates snap-in and click Add.
4
Select Computer account, then click Next.
Select Local computer, then click Finish. Click OK to open the snap-in.
Import the SSL certificate:
Under Certificates (Local Computer), right-click on the Personal folder and select All Tasks >
Import to open the Certificate Import Wizard. Click Next.
Use the browse functionality to select the SSL certificate, then click Next.
Type the password for the certificate and select Mark this key as exportable. Click Next.
Choose the option to place all certificates in the Personal certificate store and click Next.
Click Finish to complete the process. The certificate will now appear in the Personal >
Certificates folder.
Grant the AD FS Service Account permission to manage the private keys for the SSL certificate:
Right-click on the SSL certificate and select All Tasks > Manage Private Keys.
Add the AD FS Service Account to the list of Group or user names.
Grant the account Full control.
Import the root certificate (issuer of the SSL certificate) as a Trusted Certificate Authority:
Under Certificates (Local Computer), right-click on the Trusted Root Certification Authorities
folder and select All Tasks > Import to open the Certificate Import Wizard. Click Next.
Use the browse functionality to select the root certificate, then click Next.
Choose the option to place all certificates in the Trusted Root Certification Authorities
certificate store and click Next.
Click Finish to complete the process. The certificate will now appear in the Trusted Root
Certification Authorities > Certificates folder.
Token Signing Certificate and Token Decrypting Certificate
For the Token Signing and Token Decrypting certificates, you may provide certificates or you may enable
the Automatic Certificate Rollover Feature in AD FS, which will create and manage self-signed
certificates. When this feature is enabled, managed certificates hit their expiration date, AD FS will
create new self-signed certificates and replace them. When creating a stand-alone federation server, the
Automatic Certificate Rollover Feature is enabled by default. When creating a federation server farm,
the install account must be a domain administrator in order to use this feature, as it requires the
creation of an Active Directory container for sharing signing and Decrypting certificates.
Alternately, you may specify certificates configuring the AD FS service (this does not require a domain
administrator as the install account when creating a federation server farm). Depending on your
organizational needs, you may choose to use a separate certificate for each certificate type, or you may
choose to simply use the AD FS SSL certificate for the Token Signing and Token Decrypting certificates. In
all cases, be mindful of any expiration dates on the certificates, as expired certificates that are not
managed by AD FS must be replaced.
5
Please Note: The AD FS configuration process will set up a Token Signing certificate as per your
specification (either one that you specify or one that is managed by AD FS). After the Apprenda
installation completes, however, this certificate will be marked as the Secondary Token Signing
certificate, and the Apprenda installer will configure AD FS to use the Apprenda Platform Signing
certificate as the Primary Token Signing certificate in AD FS. This is necessary in order for the Apprenda
Platform to locate (and therefore control) the certificate that will be used for AD FS Token Signing so
that Apprenda workloads can properly validate the source of the claims they receive.
Importing Additional Certificates
If Automatic Certificate Rollover is disabled and certificates other than the AD FS SSL certificate will be
used, they should be imported into the Personal Certificate Store as per the procedures outlined in the
“Import the SSL Certificate” step above.
You should also follow the steps outlined in the Grant the AD FS Service Account permission to manage
the private keys for the SSL certificate section above for each additional certificate.
Locating Certificate Thumbprints
Some of the installation steps below require the thumbprint for a certificate. The thumbprint of a
certificate on a local machine can be located as follows:
In the MMC Certificate Snap-in, open the Personal > Certificates folder.
Right-click on the certificate and select Open.
The thumbprint for the certificate is listed on the Details tab. Click on the thumbprint row to
view the thumbprint in the lower window (where you can copy it).
Should you prefer, you may also locate the thumbprint for certificates by running the following
command in Powershell on a machine where the certificates are installed:
dir Cert:\LocalMachine\My
SQL Server or Windows Internal Database
AD FS offers the option to use either SQL Server or Windows Internal Database to store configuration
data. Because Apprenda manages the AD FS nodes and related configuration data, the type of database
selected should adhere to the following:
For lab environments where a single AD FS node will be used and where upgrading to a different
version of AD FS will not be a concern, Windows Internal Database, which is included with the AD FS
installation, may be safely used. If WID is selected for the AD FS database, it will be set up automatically
at AD FS configuration.
For AD FS farms that include more than one AD FS node, Apprenda requires that SQL Server be used
for the AD FS database; otherwise, Apprenda will be unable to properly manage all AD FS nodes in the
farm. The SQL Server instance must be configured prior to AD FS configuration.
6
For all other AD FS setups, Apprenda recommends that SQL Server be used for the AD FS database, as
SQL Server offers HA and scalability when a failover cluster is used. It also allows for future
addition/removal of AD FS nodes by removing ties to a Windows Internal Database instance on a given
AD FS node. The SQL Server instance must be configured prior to AD FS configuration.
SQL Server Versions
It should be noted that the following SQL Server versions have been successfully used with AD FS:
AD FS 2.0: SQL Server 2005 and SQL Server 2008. SQL Server 2012 is not recommended, as it
requires changes to the database configuration scripts (please contact your Client Services
representative for potential workarounds should your AD FS setup absolutely require AD FS 2.0
and SQL Server 2012).
AD FS 2.1: SQL Server 2012 (other versions may be compatible but have not been tested).
SQL Server Configuration and Account Permissions
The SQL Server instance must be configured prior to AD FS configuration (preferably as a failover cluster
if HA and/or scale is a concern).
The following account permissions are required to use SQL Server as the backing database for AD FS:
The account used to install AD FS must have permissions to create the necessary AD FS
configuration databases and grant permissions to the AD FS service account. This can be
achieved by granting the SQL Server sysadmin role to the install account during AD FS
installation.
The AD FS Service Account must be given access to the SQL Server instance; at installation it will
be granted permission to read the necessary AD FS configuration databases.
The SQL instance must be configured to Allow Remote Connections.
Supported Version of AD FS Installed
The version(s) of AD FS supported for a given Apprenda Platform version are listed in the AD FS Nodes
section of the Pre-Installation Checklist. Please note that all AD FS nodes within an AD FS Web farm must
run the same version of AD FS.
Perform the following AD FS installation steps on all AD FS nodes.
WINDOWS SERVER 2008 R2 (AD FS 2.0)
1. Download AD FS 2.0 (http://www.microsoft.com/en-us/download/details.aspx?id=10909)
2. Launch the installer.
7
3. Click Next.
4. Select Federation Server.
5. Click Next and allow it to install.
6. Once AD FS is installed you should see the following screen. If you do not, simply open the AD FS
Management Console:
8
WINDOWS SERVER 2012 (AD FS 2.1)
1. Install the Active Directory Federation Services Role through the Server Manager.
CONFIGURATION AND APPRENDA INSTALLATION FOR AN AD FS
FEDERATION SERVER FARM
The instructions below outline the configuration steps for an AD FS farm using SQL Server for the AD FS
Configuration database. Although all screenshots are for AD FS 2.1, the workflow will be the same for AD
FS 2.0.
Checklist:
IIS has been installed on all AD FS nodes.
DNS entry or entries have been configured.
A dedicated AD FS Service Account has been created.
If you are not installing using an account with domain admin permissions, the SPN for the AD FS
service has been manually configured (by you or your IT department).
A dedicated SQL instance for the AD FS Configuration DB has been set up.
o The install user has sysadmin permissions for the duration of AD FS installation and
configuration.
9
o The AD FS Service Account has read access to the instance.
All certificates you will use are installed on the machines as noted above.
The thumbprint for the identity SSL certificate you will use (see the “Certificates” section above)
is on hand.
If you are not installing using an account with domain admin permissions, the thumbprints for
the Token Signing and Token Decrypting certificates are also on hand.
AD FS has been installed on all AD FS nodes.
The user under which you will configure AD FS is a local admin on AD FS nodes.
Install the First Node in the Federation Farm
1. Open Powershell.
2. Run one of the commands below (depending on whether or not the executing user is a Domain
Admin) from the location in which fsconfig resides and within a user context that has r/w access
to the db and domain admin privileges.
a. FS Config: default AD FS 2.0 install: C:\Program Files\Active Directory Federation
Services 2.0
b. default AD FS 2.1 install: C:\Windows\ADFS
Executing user is NOT a Domain Admin (or you want to specify Token Decrypting/Signing
certs):
.\FSConfig.exe CreateSQLFarm /ServiceAccount XXX /SQLConnectionString
"database=AdfsConfiguration;server=XXX;integrated security=SSPI"
/CertThumbprint "XX XX…" /SigningCertThumbprint "XX XX…"
/DecryptCertThumbprint "XX XX…" /federationservicename identity.ROOTURL
/cleanconfig
ServiceAccount will specify the service account that the AD FS service will be running as.
Server (in the connection string) corresponds to the SQL Server Host\InstanceName in
which the AD FS databases will be stored. If you are using the default instance, only the
host (server) name is typically needed.
NOTE: /Cleanconfig will wipe and any existing AD FS database that you already have in
the SQL Server being deployed to.
Example
.\FSConfig.exe CreateSQLFarm /ServiceAccount cs\adapprenda
/SQLConnectionString "database=AdfsConfiguration;server=
Server01\Instance01;integrated security=SSPI" /CertThumbprint "c4 38 d1
2f 7f a3 cd 3e 19 21 94 64 6a 14 db 0e a6 60 1c 5f"
/SigningCertThumbprint "65 af b2 82 28 a4 eb f7 21 2e 6e d1 5e 07 1e 8d
24 53 5e 42" /DecryptCertThumbprint "65 af b2 82 28 a4 eb f7 21 2e 6e
10
d1 5e 07 1e 8d 24 53 5e 42" /federationservicename
identity.federation.test /cleanconfig
Executing user IS a Domain Admin (and you will enable Automatic Certificate Rollover)
If the install account is a domain administrator, you may enable the Automatic Certificate
Rollover Feature, in which case you need only specify the thumbprint of the SSL Certificate that
will be used:
.\FSConfig.exe CreateSQLFarm /ServiceAccount XXX /SQLConnectionString
"database=AdfsConfiguration;server=XXX;integrated security=SSPI"
/CertThumbprint "XX XX …" /federationservicename identity.ROOTURL
/cleanconfig /AutoCertRolloverEnabled
NOTE: /Cleanconfig will wipe and any existing AD FS database that you already have in the
SQL Server being deployed to.
Example
.\FSConfig.exe CreateSQLFarm /ServiceAccount cs\adapprenda
/SQLConnectionString "database=AdfsConfiguration;server=
Server01\Instance01;integrated security=SSPI" /CertThumbprint "c4 38 d1
2f 7f a3 cd 3e 19 21 94 64 6a 14 db 0e a6 60 1c 5f"
/federationservicename identity.federation.test /cleanconfig
/AutoCertRolloverEnabled
If you prefer to specify your own Token Signing and/or Token Decrypting certificate, simply run
the command with the /SigningCertThumbprint and DecryptCertThumbprint parameters listed
above for scenarios when the install account is not a domain admin.
3. Once you are done with the command line, open the AD FS Manager and click on Edit
Federation Service Properties.
11
4. Change the Federation Service identifier to match the following pattern (the “https” and the
final slash are critical): https://identity.cloudURL/adfs/ls/
12
5. Click on Apply when done.
6. Restart the Federation Service via the Windows Services window. It is listed as AD FS 2.0
Windows Service for AD FS 2.0, and AD FS Windows Service for AD FS 2.1.
7. Configure the Default Web site on the first node as indicated in Appendix 1.
Join Additional Nodes to the Federation Server Farm
1. Open Powershell on the additional node.
2. Run the command below from the location in which fsconfig resides and within a user context
that has r/w access to the db and domain admin privileges.
a. FS Config: default AD FS 2.0 install: C:\Program Files\Active Directory Federation
Services 2.0
b. default AD FS 2.1 install: C:\Windows\ADFS
.\FSConfig.exe JoinSQLFarm /ServiceAccount XXX /SQLConnectionString
"database=AdfsConfiguration;server=XXX;integrated security=SSPI"
/CertThumbprint "XX XX …"
13
Example
.\FSConfig.exe JoinSQLFarm /ServiceAccount nys\adfsuser
/SQLConnectionString "database=AdfsConfiguration;server=
Server02\Instance02;integrated security=SSPI" /CertThumbprint " c4 38
d1 2f 7f a3 cd 3e 19 21 94 64 6a 14 db 0e a6 60 1c 5f "
3. Open AD FS manager and confirm Federation Service Identifier matches
identity.rooturl/adfs/ls/.
4. Configure the Default Web site on the additional node as indicated in Appendix 1.
Install Apprenda with an AD FS Federation Server Farm
At this point we have configured the Federation portion of the installation. Let’s go ahead and install the
Platform. Because the installer is not designed to accommodate a Federation Server farm, we will do the
following:
Select all AD FS nodes as Application Servers, which will install and configure the Windows Host
service.
Configure the first AD FS node in the Federation Server farm as the Apprenda Managed AD FS
Host.
Manually configure the remaining AD FS nodes as Apprenda Managed AD FS Hosts.
CONFIGURE AD FS NODE S AS APPLICATION SER VERS IN THE APPRENDA INSTALLER
1. Open the Apprenda Installer.
2. Select the Install option.
3. Select Multi Server and Show Advanced Options.
4. Fill out the necessary information until you reach the What Servers Should We Start Off With?
page.
5. In addition to your environment’s other servers, be sure to add all AD FS nodes as Application
Servers.
CONFIGURE THE FIRST AD FS NODE AS AN APP RENDA MANAGED AD FS HOST
1. Continue and fill out the necessary information until you reach the Apprenda Security page.
2. Do not select the Require Authorization to access the System Operations Center (SOC), as
skipping this at install will permit authentication troubleshooting. SOC Authorization can be re-
enabled at a later time.
3. Fill out the Federation Information as follows:
a. Apprenda Managed ADFS Host is the name of the first AD FS node in the farm.
b. The endpoint is the Federation Service Identifier configured in ADFS.
14
4. Complete the Apprenda installation.
GRANT THE AD FS SERV ICE ACCOUNT PERMISSI ON TO MANAGE THE PRIVATE KEYS
FOR THE APPRENDA PLA TFORM SIGNING CERTIF ICATE
Apprenda Platform installation will add the Apprenda Signing certificate to the certificate store on the
AD FS nodes. The AD FS Service Account must have read permissions to the private key for this
certificate. Perform the following on all AD FS nodes.
Open the MMC Certificate Snap-in:
Open MMC (which should be included on all Windows OS)
Under File choose Add/Remove Snap-in
Select the Certificates snap-in and click Add.
Select Computer account, then click Next.
Select Local computer, then click Finish.
Click OK to open the snap-in.
Grant the AD FS Service Account permission to manage the private keys for the Apprenda Platform
Signing certificate:
Under Certificates (Local Computer), open the Personal>Certificates folder and locate the
Apprenda Platform Signing certificate. Its name should match the pattern “cloudURL Signing”
(e.g., “apprenda.fedtest Signing”).
Right-click on the Apprenda Signing certificate and select All Tasks > Manage Private Keys.
Add the AD FS Service Account to the list of Group or user names.
Grant the account Read permissions.
15
Manually configure the remaining AD FS Nodes
Repeat these steps for each additional AD FS node in the farm.
Copy Apprenda AD FS Artifacts to the New AD FS Nodes
1. On the first ADFS node; you will find an AdfsBoostrapper directory in the Apprenda install
drive\folder (by default, this will be C:\ApprendaPlatform).
2. Copy the AdfsBootstrapper folder to ApprendaPlatform folder on the additional AD FS node.
3. On the additional AD FS node, look in the AdfsBootstrapper folder and locate the following DLL
(depending on AD FS version) and copy it to the corresponding directory:
AD FS 2.0
From the AttributeStore folder, copy SaaSGrid.Federation.AttributeStore.dll to
C:\Program Files\Active Directory Federation Services 2.0
AD FS 2.1
From the AttributeStore2.1 folder, copy Apprenda.Federation.AttributeStore.2.1.dll to
C:\Windows\ADFS directory on each new node
4. Restart the AD FS Service.
Update the SaaSGrid Core DB
1. Connect to the SaaSGrid Core DB (you can use the credentials used to install Apprenda).
2. Look in the dbo.Artifact_Host table and get the id for the additional node.
3. Look in the dbo.Tag table and get the id for “Federation Host”.
4. In the dbo.Host_Tag table, add a line where host_id= the id of the additional node from the
dbo.Artifact Host table and tag_id=the id of “Federation Host” from the dbo.Tag table.
5. In the SOC, deploy the federation service to the additional node.
Optional: Configure Application Deployment Policy
If desired, move any unneeded services off the federation nodes and set up a deployment policy to only
allow the federation service.
CONFIGURATION AND APPRENDA INSTALLATION FOR AN AD FS STAND-
ALONE FEDERATION SERVER
The instructions below outline the configuration steps for an AD FS Stand-alone Federation Server using
Windows Internal Database for the AD FS Configuration database. This options will configure AD FS to
manage the Token Signing and Token Decrypting certificates.
Checklist:
IIS has been installed on all AD FS nodes.
DNS entry has been configured.
16
The identity SSL certificate is installed on machine as noted above.
The thumbprint for the identity SSL certificate you will use (see the “Certificates” section above)
is on hand.
AD FS has been installed on all AD FS nodes.
The user under which you will configure AD FS is a local admin on AD FS nodes.
Steps:
1. If it is not already open, launch the AD FS Management Console.
2. Click on the link to launch the AD FS Federation Server Configuration Wizard.
3. Select Create a new Federation Service.
4. Select Stand-alone Federation Server.
5. Ensure that the identity SSL certificate is selected.
6. Ensure that the Federation Service name is set to identity.cloudURL.
7. Proceed through the wizard to complete the configuration steps, then close the Wizard.
8. Once you are done with the command line, open the AD FS Manager and click on Edit
Federation Service Properties.
9. Change the Federation Service identifier to match the following pattern (the final slash is
critical): https://identity.cloudURL/adfs/ls/
17
10. Click on Apply when done.
11. Restart the Federation Service via the Windows Services window. It is listed as AD FS 2.0
Windows Service for AD FS 2.0, and AD FS Windows Service for AD FS 2.1.
12. Configure the Default Web site on the first node as indicated in Appendix 1.
To install Apprenda with an AD FS Stand-alone Federation Server, follow the steps in the Configure AD
FS Nodes as Application Servers in the Apprenda Installer and Configure the first AD FS Node as an
Apprenda Managed AD FS Host sections above.
18
APPENDIX 1: CONFIGURING THE FEDERATION WEBSITE IN IIS
In addition to the AD FS service, Apprenda leverages a corresponding federation website. This site must
be configured on each AD FS node as follows (screenshots below are for Windows Server 2012/IIS 8):
1. Open IIS and locate the Default Web Site.
2. Select the Default Webs Site and click on the Bindings… action.
3. Remove all existing bindings, then create the following https binding using port 443, where the
Host name is the federation service/site name (e.g., identity.cloudURL). You may be unable to
input a Host name value; this is OK as long as the SSL certificate is correctly pointing to the
identity SSL certificate.
19
4. With the Default Web Site still selected, click on the Basic Settings action. Click on Select to
update the Application Pool:
5. Open Powershell as an Administrator and run the command iisreset.
20
APPENDIX 2: UNDERSTANDING AD FS TRUST RELATIONSHIPS
AD FS uses trust relationships to manage how claims are accepted and issued (see Microsoft’s AD FS
documentation for an explanation of the types of trusts and related terminology used in AD FS). Below is
a list of AD FS trust relationships that are either created by Apprenda or must be created manually for
certain Apprenda Platform authentication configurations to work.
It should be noted that existing claims for an AD FS instance can be viewed in AD FS Manager under the
Trust Relationships folder.
Trust Relationships Created at Apprenda Platform Installation/UI Deployment
Claims Provider Trust (created by Apprenda)
When the Apprenda Platform is installed on an environment with AD FS nodes, the installer will create a
Claims Provider Trust between the AD FS nodes and the Apprenda Platform. The trust will be located on
the Apprenda AD FS nodes:
Location: Apprenda AD FS nodes.
Type: Claims Provider Trust.
Display Name: Apprenda
The claim provider’s federation metadata field will point to a URL that is dynamically generated
by the Apprenda Platform’s authentication UI (and depends on the subdomain and cloudURL
that has been configured for the Platform):
o Format: https://subdomain.cloudURL/authentication/FederationMetadata.xml
o Example: https://apps.apprenda.fedtest/authentication/FederationMetadata.xml
Relying Party Trusts (created by Apprenda)
When each UI is deployed on the Apprenda Platform (as either part of the Apprenda Platform portals or
as part of a guest application), a corresponding Relying Party Trust will be created on the Apprenda AD
FS nodes.
Location: Apprenda AD FS nodes.
Type: Relying Party Trust.
The Display Name will typically correspond to the URL of the UI.
Trust Relationships for Configuring Apprenda to Work with a Secure Token Service
After installation of the Apprenda Platform with AD FS is complete, it is typically configured to work with
a Secure Token Service (STS). This involves the following trust relationships.
21
Claims Provider Trust (created by Apprenda)
PLATFORM-WIDE FEDERATION (WITH A SINGLE STS):
Platform-wide federation (typically used to federate against a single external user store) is configured
through the User Store page in the System Operations Center. Part of the setup entails entering the
federation metadata URL for the STS in the appropriate input box or uploading a metadata file:
The Platform will create a Claims Provider Trust on the Apprenda AD FS nodes using the information
from the STS metadata URL or file:
Location: Apprenda AD FS nodes.
Type: Claims Provider Trust.
Display Name: Apprenda Platform
The claim provider’s federation metadata field will point to the metadata URL for the Secure
Token Service (if a metadata file is used, the URL information will be extracted from the file).
ACCOUNT-LEVEL FEDERATION (WITH ONE STS PER TENANT):
The Apprenda Platform can be configured to allow each Tenant account to authenticate against a
different STS. In such cases, federation for each Tenant is configured through the Account Portal, where
the federation metadata URL for the STS must be entered into the appropriate input box.
The Platform will create a Claims Provider Trust on the Apprenda AD FS nodes using the information
from the STS metadata URL:
Location: Apprenda AD FS nodes.
22
Type: Claims Provider Trust.
Display Name: the Tenant alias of the corresponding Tenant account.
The claim provider’s federation metadata field will point to the metadata URL for the STS.
Relying Party Trusts (must be created manually)
In most cases a Relying Party Trust must be manually configured between the Apprenda AD FS nodes
and the STS. Although the setup process will vary depending on the STS used, instructions for
configuring a Relying Party Trust in AD FS can be found in Microsoft’s online documentation:
https://technet.microsoft.com/en-us/library/dn486828.aspx
Typically, your organization will already have an STS in place (along with administrators practiced in
managing it). If this is the case, please provide your STS administrator with the metadata URL for the
Apprenda AD FS nodes, which can be found in the Configure Identity Federation section of the User
Store page in the System Operations Center (for Platform-wide Federation):
