Configuring AD FS Proxy
Microsoft AD FS (Active Directory Federation Services) makes it possible for local users and federated users to use claims-based single sign-on (SSO) to Web sites and services. You can use AD FS to enable your organization to collaborate securely across Active Directory domains with other external organizations by using identity federation. This reduces the need for duplicate accounts, management of multiple log-ons, and other credential management issues that can occur when you establish cross-organizational trusts.
The AD FS Proxy is a service that brokers a connection between external users and your internal AD FS server. It acts as a reverse proxy and typically resides in your organization’s perimeter network (aka DMZ). As far as the user is concerned, they do not know they are talking to an AD FS proxy server, as the federation services are accessed by the same URLs.
FortiADC can act as a AD FS Proxy to facilitate the deployment of AD FS. If all the users and applications are internal, there is no need to use FortiADC as AD FS Proxy. If there is a requirement to expose the federation service to the Internet, use FortiADC to replace the AD FS Proxy is helpful.
Adding an AD FS Proxy
1. Click User Authentication > AD FS Proxy.
2. Select Proxy tab.
3. Click Create New to open the AD FS Proxy configuration editor.
4. Make the desired entries or sections, as described in the following table .
5. Save the configuration.
Parameter | Description |
---|---|
Name |
Specify a unique name for the AD FS Proxy;Valid characters are A-Z, a-z, 0-9,_, and -. No space is allowed. Note: Once you have saved the configuration, you\ cannot edit the AD FS Proxy name. |
Status |
Enable—The proxy can be used by AD FS Publish. Disable—The proxy can’t be used anymore. Note: If the proxy is used by at least one AD FS Publish,it can’t be disabled. |
Method |
None: no load balance method will be used, proxy will select the first real server in the AD FS Server Pool. LB METHOD ROUND ROBIN: proxy will select the real server according to Round Robin algorithm. |
AD FS Server Pool |
Select a real server pool configuration object, which is also an AD FS server farm. See Using real server pools. Note: this real server pool must use a SSL profile whose SSL is on, and must also select a local certificate. |
Federation Service Name |
The FQDN string appointed by the AD FS server. |
User Name |
A user name used to login to the AD FS server. |
Password |
The password used to login to the AD FS server. |
Server Configuration Update Interval |
1-8640000; The time interval of AD FS Proxy to get some configuration from AD FS server. Within the interval, the proxy can only use the cached configuration. |
Register Timeout |
1-3600; the time of AD FS Proxy waiting for the register response from AD FS server. |
Connect Timeout |
1-3600; the time of AD FS Proxy setup TCP connection with AD FS server |
Response Timeout |
1-3600; the time of AD FS Proxy waiting for all the response other than register from AD FS server. |
Keepalive Timeout |
1-3600; TCP connection keepalive timeout. |
Add an AD FS Publish
1. Click User Authentication > AD FS Proxy
2. Select Publish tab.
3. Click Create New to open the AD FS Publish configuration editor.
4. Make the desired entries or selections, as described in the table below.
5. Save the configuration
Parameter | Description |
---|---|
Name |
Specify a unique name for the AD FS Proxy;Valid characters are A-Z, a-z, 0-9,_, and -. No space is allowed. Note: Once you have saved the configuration, you\ cannot edit the AD FS Proxy name. |
Status |
Enable—The proxy can be used by AD FS Publish. Disable—The proxy can’t be used anymore. Note: If the proxy is used by at least one AD FS Publish,it can’t be disabled. |
AD FS Proxy |
Select an AD FS Proxy to publish on it. |
Preauthentication Method |
Pass Through: ADC will not change the message flow, basically it will only forward the message. AD FS: ADC will do the pre-authentication, if OK, it will forward the following messages. |
Relying Party |
Relying party trust configuration is received by AD FS Proxy from the AD FS server. This parameter can only be used in the AD FS mode. |
External URL |
The URL that ADC provide to the external users to serve as the Microsoft Application server such as Exchange server. Example: https://certauth.o365.com/owa/ |
Backend Server URL |
The URL that used for AD FS Proxy to access the Microsoft Application server such as Exchange server. Example: https://certauth.o365.com/owa/ |
Attach AD FS to a Virtual Server
There are two methods to use the AD FS function for a virtual server.
Attach an AD FS Publish
1. Edit a virtual server.
2. Click General.
3. Select a published service for AD FS Published Service.
4. Save the configuration.
Use an AD FS script
1. Complete all the steps in “Attach an AD FS Publish."
2. Click Server Load Balance > Scripting.
3. Find the script whose name format is “ADFS_virtual server name_AD FS Publish name." Then clone it.
4. Detach the AD FS Published Service for the virtual server;
5. If the real server pool which was used by the virtual server is different from the AD FS Proxy on which the AD FS Published Service was published, add content routing configuration for the both pools.
6. Attach the content routing created in step 5 to virtual server.
7. Add the cloned script in step 3 into virtual server.
8. Save the configuration.