Sunteți pe pagina 1din 28

Contents

Overview ....................................................................................................................................................... 2
Setup ADFS Server ........................................................................................................................................ 3
Join ADFS server to domain ...................................................................................................................... 3
Create ADFS Service Account .................................................................................................................... 3
Install ADFS Role ....................................................................................................................................... 3
Generate CSR from ADFS server ............................................................................................................... 6
Request Cert from your CA. ...................................................................................................................... 8
Run ADFS Configuration Wizard ............................................................................................................... 8
Check SPN of the Service Account .......................................................................................................... 13
Update Internal DNS record........................................................................................................................ 13
Verify ADFS URL from Client Machine ........................................................................................................ 13
O365 Tenant Preparation ........................................................................................................................... 14
Install Azure AD Connect for Identity Sync ............................................................................................. 14
Configure Azure AD Connect for ADFS ................................................................................................... 17
Verify Identify sync ................................................................................................................................. 26
Verify SSO from Client Machine.................................................................................................................. 26
Reference .................................................................................................................................................... 28

Version Date Author Change Description


1.0 16 Sep 2016 Shankar Paulraj Initial draft
1.1 17 Sep 2016 Shankar Paulraj Certificate CN details & ADFS Service Account
Overview
The guide cover steps involved in setting up ADFS and Azure AD connect in order to achieve O365 Single
Sign-On.

The Azure AD Connect available from the O365 portal makes the whole SSO setup easier, the Azure AD
Connect Configuration Wizard helps to verify the ADFS server farm configuration and performs the
necessary configuration on the O365 tenant such as setting up tenant for federated identity.

radiancecommslab.com

Office 365
Services
AD + Azure AD
Connect ADFS

Auth

User attempts
mylab.local to login to O365
& gets re-directed to ADFS

User1

The above setup does not include an ADFS proxy server, an ADFS proxy is needed for the above setup if
we have client outside the customer network that are trying to access O365 services.

High level Requirements

2 x Windows 2012R2 Standard Edition VM (AD & ADFS)

1 x Windows 10 VM (Client)

1 x Working O365 Tenant


Setup ADFS Server

Join ADFS server to domain


Create ADFS Service Account
Create a Domain User account adfs whos password does not expire. Later this will be the service
account used for running ADFS service.

Install ADFS Role


Generate CSR from ADFS server
Run DigiCert Certificate Utility on the ADSF Server.

CN= <federation service name>

SAN=<federation service name>


Request Cert from your CA.
For my lab I used https://www.startssl.com/.

Free SSL certificate can be obtained from https://startssl.com/OTPLogin for LAB environment.

Obtain the public cert and install it on the ADFS server.

Run ADFS Configuration Wizard


Enter the service account adfs@mylab.local created previously.
Check SPN of the Service Account

Update Internal DNS record


Add STS record.

Verify ADFS URL from Client Machine


Access ADFS URL (https://sts.radiancecommslab.com/adfs/ls/IdpInitiatedSignon.aspx) from client
machine.
O365 Tenant Preparation
Assumption: O365 Tenant has been setup, including custom domain radiancecommslab.com and DNS
verification.

Install Azure AD Connect for Identity Sync


For this lab, I will install Azure AD Connect on AD server.

The latest version of the software can be downloaded from the O365 Portal.
Configure Azure AD Connect for ADFS
Verify Identify sync
Login to O365 portal and verify if On-Prem users are synchronized to cloud.

User1 and User2 are Sync from On-Prem to O365.

Verify SSO from Client Machine


Login to client machine as domain user User1 and try to login to Office 365 portal.
When trying to enter password,

- The user will be automatically re-directed to ADFS server.


- The users windows login credentials will be automatically used for authentication.
- The user will be logged-in to O365 portal.
Reference
https://blogs.technet.microsoft.com/canitpro/2015/09/11/step-by-step-setting-up-ad-fs-and-enabling-
single-sign-on-to-office-365/