Office 365 AD FS 3.0 Implementation SSO (i)

Simple introduction of what is Single sign-on, single sign-on is the enterprise business application integration of a solution, through the configuration of single sign-on, users can access the enterprise internal application system. Simply say that you do not need to enter the account password multiple times, with the current login user's token to authenticate each application system, to achieve a landing can enter the application system at the same time.

Actually, really, before this article, set up several times the environment, also encountered a lot of problems, but also read a lot of writing Office 365 with AD FS to achieve SSO blog post. I'll simply talk about the environment I'm building and what steps I need to configure.

--------------------------------------------I'm a slightly soiled mid-line-----------------------------------------------------------------

This demo Azure environment: Global Azure

This demo DNS resolver is as follows:

DNS provider, domain name	Add a record
Million Network (test domain: gshcloud.com)	1. Records on Office 365 I don't have much to explain here, but I can see the related records in the Office 365 Admin Control Interface-Domain 2. Add records for ADFS
Internal Domain name: gshinternel.com	No

This demo azure Environment Cloud virtual machine list is as follows:

Server name	Note
AzureAD0604	Active Directory, DNS service (WINDOWSSERVER2012R2)
adfs0604	Ad FS 3.0 (WINDOWSSERVER2012R2) \aad (Azure AD Connect)

Entire experimental environment topology (video from Channel 9)

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m01/82/95/wkiol1dcijejy7tbaaiy5nauwfm936.png "height=" 535 "/>

This lab environment (Windows Azure)

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m02/82/96/wkiom1dcisvwutb_aabyskwlj-w133.png "height=" 323 "/>

(Aside from: If you are deploying on-premises, it is recommended to add a TMG or WAP server (Web application proxy) to reverse proxy AD FS's 443 port to the extranet, otherwise it is unsafe to put AD FS directly in the external network. My side is a simple environment so I don't consider security issues. ）

As for the deployment actions of these two servers (new server, ad service, ADFS join domain), I don't have much elaboration.

--------------------------------------------I'm a slightly soiled mid-line-----------------------------------------------------------------

The approximate idea steps are as follows:

1. Add a UPN to configure the user's UPN suffix (this is related to whether or not your domain name is consistent, if you miss this step directly)
2. Application certificate (public network)
3. Install the AD FS service
4. Internal DNS server new forward zone resolution
5. Add an extranet DNS record and configure port 443 to map out
6. Add a custom domain name in Office 365 to configure related extranet records
7. Convert your custom domain name to a federated domain
8. Activate dir-sync in Office 365, install AAD
9. Configuring directory synchronization and AD FS
10. Verify the user's login status

--------------------------------------------I'm a slightly soiled mid-line-----------------------------------------------------------------

Add a UPN to configure the user's UPN suffix (this is related to whether or not your domain name is consistent, if you miss this step directly)

1. Open the Active Directory domain and trust relationship, right click on properties;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/96/wKiom1dcISujXV1IAADemNJWowQ101.png "height=" 328 "/>

2. Add gshcloud.com in the UPN suffix(hint: This is my external domain name);

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/95/wKioL1dcIjqQ6cPNAABW6JdleBI912.png "height=" 602 "/>

3. Open Active Directory Users and Computers, select the account you want to test, right-click Properties-Account, change the UPN suffix;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/95/wKioL1dcIjvgKYPWAAHoCOEsnSc396.png "height=" 413 "/>

Application certificate (public network)

4. In the run character input: certlm.msc, click OK;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/96/wKiom1dcIS6h6jyJAABHwpZFYdg964.png "height=" 299 "/>

5. In the personal-Certificate, right-click, select All Tasks (K)-Advanced Operations (A)-Create A Custom request (C);

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m02/82/95/wkiol1dcij3qzhtgaahnftohivi451.png "height=" 282 "/>

6. In the Certificate Registration screen, click Next.

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/95/wKioL1dcIj2Td8l2AADLnjFK4GM619.png "height=" 409 "/>

7. In the Certificate Registration screen, click on the custom request without using the registration policy to continue, click Next;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/96/wKiom1dcITGAmWjAAAC485hiN_w306.png "height=" 419 "/>

8. In the custom request, template selection (no template) old key, request format is pkcs#10, click Next;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/95/wKioL1dcIj-Df_5QAACz25IySzs309.png "height=" 402 "/>

9. In the certificate information, click Properties;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/95/wKioL1dcIkDhj9NrAADTWl8-3RU780.png "height=" 398 "/>

10. In the general fill in the Friendly Name and description (this meaning is external to the AD FS server FQDN);

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/96/wKiom1dcITPCGIzAAACcN-w_Mko146.png "height=" 609 "/>

11. In the user, add the common name adfs.gshcloud.com (other information to see you personally)

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/96/wKiom1dcITTy5-mRAAEwgR8m1L0315.png "height=" 610 "/>

12. In the private key, click on the cryptographic service provider (C), remove the Microsoft Strong Cryptographic Provider (signature) option, tick Microsoft RSA SChannel Cryptographic Provider (encryption);

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/97/wKiom1dcITWCU3_0AAFHuyxUGZM066.png "height=" 297 "/>

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/97/wKiom1dcITaz3rMdAAF1HmqhzMw272.png "height=" 569 "/>

13. In the key option, the key size is 2048, check that the private key can be exported (this step is for TMG and WAP service);

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/95/wKioL1dcIkWD7YVRAAEaRuswX8g577.png "height=" 604 "/>

14. After configuring the above settings, continue to click Next;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/95/wKioL1dcIkazLS-3AADfnrtDz7o370.png "height=" 418 "/>

15. Save the certificate request in the folder, the file format is base 64, click Finish;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/97/wKiom1dcITnzGjTUAADZGyiquZI993.png "height=" 407 "/>

16. You can see the request that we just applied for in the certificate registration application list;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m00/82/97/wkiom1dcitqbujhfaafqp5zqmwa236.png "height=" 323 "/>

17. Apply for a free SSL certificate online, enter the domain name: adfs.gshcloud.com ( high energy hint: this place must be the FQDN address of the external ADFS, cannot fill in the domain name ) (

Https://buy.wosign.com/free/FreeSSL.html#apply

）

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/95/wKioL1dcIkizl2rsAADPnHAgabE741.png "height=" 325 "/>

18. In my order, click Submit CSR;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/97/wKiom1dcITuxvXwkAACFZfyJaGs603.png "height="/>

19. Open the file you saved in step 15 and copy the code inside;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/97/wKiom1dcITzz6NDWAAFUVKFIOHw936.png "height="/>

20. Option two: Submit your CSR, post the code you just copied, click Detect CSR, then click Submit;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/97/wKiom1dcIT6j6d4kAAGwW7pA178272.png "height=" 464 "/>

21. After the application is completed, download the certificate attachment;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/95/wKioL1dcIkzAphGvAADTe80cp20463.png "height=" 332 "/>

22. Unzip the certificate in the certificate attachment and copy it to the AD FS server;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/95/wKioL1dcIkyDtUNWAAAkfYB4TgI903.png "height=" 254 "/>

23. In the personal-Certificate, right-click All Tasks (K)-Import (I);

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/97/wKiom1dcIT_CIFueAABwr8C1Mi0181.png "height=" 380 "/>

24. In the Certificate Import Wizard, click Next.

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/97/wKiom1dcIUDCT-kGAADoxHQjru8090.png "height=" 563 "/>

25. In the file to be imported, click Next;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/95/wKioL1dcIk-iOx0EAADJ808H-b4685.png "height=" 570 "/>

26. In the certificate store, click Next;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/97/wKiom1dcIULCS6HMAACx8xfqxrI326.png "height=" 564 "/>

27. After completing the Certificate Import Wizard, click Finish.

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/97/wKiom1dcIUPzKuOPAACqdatwQTo949.png "height=" 566 "/>

28. In the personal-certificate, see the application of the public network certificate has been imported completed;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m01/82/95/wkiol1dcilhjkho7aafdmeohkqy261.png "height=" 288 "/>

This article from "Gs_hao" blog, declined reprint!

Office 365 AD FS 3.0 Implementation SSO (i)