Configure AD FS to trust the management portals
Applies To: Windows Azure Pack
The last step in the configuration of Windows Azure Active Directory Federation Services (AD FS) for Windows Azure Pack is to configure AD FS to trust the management portals.
Configure AD FS to trust the management portals
Ensure that the machine that you configure can access the AD FS web service metadata endpoint for the management portal for administrators. To verify access, open a browser and go to https://<AdminPortal_endpoint>/FederationMetadata/2007-06/FederationMetadata.xml, where <AdminPortal_endpoint> is the fully qualified domain name (FQDN) for the management portal for administrators. If you can view the .xml file, you can access the federation metadata endpoint.
Ensure that the machine that you configure can access the AD FS web service metadata endpoint for the management portal for tenants. To verify access, open a browser and go to https://<TenantPortal_endpoint>/FederationMetadata/2007-06/FederationMetadata.xml, where <TenantPortal_endpoint> is the FQDN for the management portal for tenants. If you can view the .xml file, you can access the federation metadata endpoint.
OPTIONAL. If you want to use the ASP.NET Membership Provider as the default Claims Provider for the management portal for tenants in AD FS, ensure that the machine that you configure can access the AD FS web service metadata endpoint for the Tenant Authentication Site. To verify access, open a browser and go to https://<TenantAuth_endpoint>/FederationMetadata/2007-06/FederationMetadata.xml, where <TenantAuth_endpoint> is the FQDN for the Tenant Authentication Site. If you can view the .xml file, you can access the federation metadata endpoint.
Locate the configure-adfs.ps1 configuration script that is installed with Windows Azure Pack in C:\Program Files\Management Service\MgmtSvc-PowerShellAPI\Samples\Authentication\.
Run the configure-adfs.ps1 script on the machine where AD FS is installed.
$tenantSite = 'tenant-AzurePack.contoso.com:30081' $adminSite = 'admin-AzurePack.contoso.com:30091' $authSite = 'auth-AzurePack.contoso.com:30071' # Note: Use the \"allowSelfSignCertificates\" switch only in test environments. In production environments, all # SSL certificates should be valid. & "C:\Program Files\Management Service\MgmtSvc-PowerShellAPI\Samples\configure-adfs.ps1" ` –identityProviderMetadataEndpoint "https://$authSite/federationmetadata/2007-06/federationmetadata.xml" ` -tenantRelyingPartyMetadataEndpoint "https://$tenantSite/federationmetadata/2007-06/federationmetadata.xml" ` -adminRelyingPartyMetadataEndpoint "https://$adminSite/federationmetadata/2007-06/federationmetadata.xml" ` –allowSelfSignCertificates
Replace <tenantSite> and <adminSite> with the locations for the management portal for tenants and the management portal for administrators. If you want to use ASP.NET Membership Provider as the default Claims Provider for the management portal for tenants in AD FS, replace <authSite> with the location for the authentication site.
Supply the following parameter information.
Parameter
Required information
-identityProviderMetadataEndpoint
OPTIONAL: Endpoint to obtain Federation Metadata for the Tenant Authentication Site. If you do not want to use ASP.NET Membership Provider to provide tenant identities, modify the script to not use this parameter. Also remove the Add-AdfsClaimsProviderTrust cmdlt. This will set up trusts for the management portal for tenants and management portal for administrators.
-tenantRelyingPartyMetadataEndpoint
Endpoint to obtain Federation Metadata for the management portal for tenants.
-adminRelyingPartyMetadataEndpoint
Endpoint to obtain Federation Metadata for the management portal for administrators.