In the previous part of this blog series we installed Windows Azure Pack and Active Directory Federation Services. In this blog we will configure the WAP Admin Portal and the WAP Tenant Portal to use ADFS for authentication. The configuration steps for both sites are very similar with some exceptions. The following steps will be performed.
- Change the WAP site bindings in IIS
- Update the WAP database with the new IIS bindings
- Configure the WAP database to use ADFS
- Create a relying party in ADFS
- Create claim rules in ADFS
- Enable JWT for relying party in ADFS
After completing these steps, every user that successfully authenticates to ADFS can access the WAP tenant site. To prevent a random user from accessing the WAP admin site, an additional step must be performed to enable access for admins.
- Configure authenticated users for the admin site
Windows Azure Pack accepts User Principal Name (UPN) claims and Group claims. A tenant requires a UPN claim to logon to Windows Azure Pack. When a tenant subscribes to a plan the UPN is made owner of the subscription. A UPN is required as owner for a subscription. The Group claim is optional and can be used to specify Co-Admins for an existing subscription. A common design is to designate an owner of the subscription that is responsible (for example a department head) and add a group claim as co-admins for the subscription (for example a group containing all the departments users). A couple of tests with group claims pointed out that Domain Local Groups will not work (even if you manage to pass them as claims with some custom claim rules) and that Windows Azure Pack will not accept a space in the Group when configuring Co-Admins for a subscription.
Two components of ADFS are important in relation to Windows Azure Pack. The Claims Provider and the Relying Party. A Claims Provider authenticates a user, create the claims for that user and configures the claims into security tokens that the relying party uses to make authorization decisions. A Relying Party consumes claims in a particular transaction. Claims that originate from a claims provider can be presented and consumed by the relying party. A default installation of ADFS configures a Claims Provider trust to Active Directory. This default Claims Provider trust has a predefined set of Claims, which contains the UPN claim, but does not contain the Group claim.
It is possible to add additional claims at the Claims Provider level or at the Relying party level. If you add additional claims at the Claims Provider level, these claims are available to all relying parties and can also be used for authorization and transformation in a relying party configuration. If you add additional claims at the Relying Party level, these claims will only be available to that particular Relying Party.