Configure the management portals to trust AD FS

After you configure Active Directory Federations Services (AD FS), you must configure management portal for administrators and management portal for tenants to trust AD FS. You can either run the Set-MgmtSvcRelyingPartySettings cmdlet or run a Windows PowerShell script.

Option 1: Run the Set-MgmtSvcRelyingPartySettings cmdlet

1.   Run the Set-MgmtSvcRelyingPartySettings cmdlet on each machine where the administrator or tenant portal is installed.

Before you run the Set-MgmtSvcRelyingPartySettings cmdlet, ensure that the machine that you configure can access the AD FS web service metadata endpoint. To verify access, open a browser and go to the same URI that you plan to use for the –MetadataEndpoint parameter. If you can view the .xml file, you can access the federation metadata endpoint.

2.   Now, run the Set-MgmtSvcRelyingPartySettings cmdlet.

 

Set-MgmtSvcRelyingPartySettings -Target Tenant -MetadataEndpoint https://<fqdn>/FederationMetadata/2007-06/FederationMetadata.xml -DisableCertificateValidation -ConnectionString 'Server=<some server>;User Id=<user with write permissions to all config databases>;Password=<password>;'

 

The following table shows required information to run the Set-MgmtSvcRelyingPartySettings cmdlet.

 

Cmdlet parameter

Required information

-Target

This parameter is used to indicate which portal to configure. Possible values: Admin, Tenant.

-MetadataEndpoint

The AD FS web service metadata endpoint. Use a valid, accessible, and complete URI, in the following format: https://<AD FS>/FederationMetadata/2007-06/FederationMetadata.xml. In the following cmdlets, replace $fqdn with an accessible AD FS fully qualified domain name (FQDN).

-ConnectionString

The connection string to the instance of Microsoft SQL Server that hosts the management portal configuration database.

Option 2: Run a Windows PowerShell script

·      Instead of using the cmdlet, you can run the following Windows PowerShell script on each machine where the administrator or tenant portal is installed.

 

$domainName ='mydomain.com'

$adfsPrefix ='AzurePack-adfs'

 

$dnsName = ($adfsPrefix + "." + $domainName)

 

# Enter Sql Server details here

$dbServer ='AzurePack-sql'

$dbUsername = 'sa'

$dbPassword ='<SQL_password>'

$connectionString = [string]::Format('Data Source={0};User ID={1};Password={2}', $dbServer, $dbUsername, $dbPassword)

 

# Note: Use the "DisableCertificateValidation" switch only in test environments. In production environments,

# all SSL certificates should be valid.

Set-MgmtSvcRelyingPartySettings -Target Tenant `

-MetadataEndpoint https://$dnsName/FederationMetadata/2007-06/FederationMetadata.xml `

-DisableCertificateValidation -ConnectionString $connectionString

 

Add users to have access to the management portal for administrators

·      If you want to add users to have access to the management portal for administrators, you must run the Add-MgmtSvcAdminUser cmdlet on the machine hosting the Admin API. The connection string should point to the Management Portal Configuration database.

The following code example shows how users are added to get access.

 

$adminuser ='domainuser1@mydomain.com'

$dbServer ='AzurePack-sql'

$dbUsername = 'sa'

$dbPassword ='SQL_Password'

$connectionString = [string]::Format('Server= {0} ;Initial Catalog=Microsoft.MgmtSvc.Store;User Id={1};Password={2};',$dbServer, $dbUsername, $dbPassword)

 

Add-MgmtSvcAdminUser -Principal $adminuser -ConnectionString $connectionstring

 

 

Note

·      The format of the $dbuser must match the user principal name (UPN) that is sent by AD FS.

·      Administrator users must be individual users. You cannot add AD groups as administrator users.

Next steps

·      Configure the tenant authentication site to trust AD FS