The last step in the configuration of Windows Azure Active Directory Federation Services (AD FS) for Windows Azure Pack is to configure AD FS to trust the management portals.
|
|
|
1. Ensure that the machine that you configure can access the AD FS web service metadata endpoint for the management portal for administrators. To verify access, open a browser and go to https://<AdminPortal_endpoint>/FederationMetadata/2007-06/FederationMetadata.xml, where <AdminPortal_endpoint> is the fully qualified domain name (FQDN) for the management portal for administrators. If you can view the .xml file, you can access the federation metadata endpoint. 2. Ensure that the machine that you configure can access the AD FS web service metadata endpoint for the management portal for tenants. To verify access, open a browser and go to https://<TenantPortal_endpoint>/FederationMetadata/2007-06/FederationMetadata.xml, where <TenantPortal_endpoint> is the FQDN for the management portal for tenants. If you can view the .xml file, you can access the federation metadata endpoint. 3. OPTIONAL. If you want to use the ASP.NET Membership Provider as the default Claims Provider for the management portal for tenants in AD FS, ensure that the machine that you configure can access the AD FS web service metadata endpoint for the Tenant Authentication Site. To verify access, open a browser and go to https://<TenantAuth_endpoint>/FederationMetadata/2007-06/FederationMetadata.xml, where <TenantAuth_endpoint> is the FQDN for the Tenant Authentication Site. If you can view the .xml file, you can access the federation metadata endpoint. 4. Locate the configure-adfs.ps1 configuration script that is installed with Windows Azure Pack in C:\Program Files\Management Service\MgmtSvc-PowerShellAPI\Samples\Authentication\. 5. Run the configure-adfs.ps1 script on the machine where AD FS is installed.
$tenantSite ='tenant-AzurePack.contoso.com:30081' $adminSite ='admin-AzurePack.contoso.com:30091' $authSite ='auth-AzurePack.contoso.com:30071'
# Note: Use the "allowSelfSignCertificates" switch only in test environments. In production environments, all # SSL certificates should be valid. & "C:\Program Files\Management Service\MgmtSvc-PowerShellAPI\Samples\configure-adfs.ps1" ` –identityProviderMetadataEndpoint "https://$authSite/federationmetadata/2007-06/federationmetadata.xml" ` -tenantRelyingPartyMetadataEndpoint "https://$tenantSite/federationmetadata/2007-06/federationmetadata.xml" ` -adminRelyingPartyMetadataEndpoint "https://$adminSite/federationmetadata/2007-06/federationmetadata.xml" ` –allowSelfSignCertificates
Replace <tenantSite> and <adminSite> with the locations for the management portal for tenants and the management portal for administrators. If you want to use ASP.NET Membership Provider as the default Claims Provider for the management portal for tenants in AD FS, replace <authSite> with the location for the authentication site. Supply the following parameter information.
|