Administrator Guide
• Federated Identities to Windows Azure Pack through AD FS – Part 1 of 3
• Federated Identities to Windows Azure Pack through AD FS – Part 2 of 3
For additional information, see Congure Active Directory Federation Services for Windows Azure Pack and AD FS 2.0 Cmdlets in
Windows PowerShell in the TechNet Library.
2 Congure the tenant authentication site to trust AD FS.
Connect to the tenant portal VM (<
Prex
>-APT01), open a Windows PowerShell session, and run the following script.
NOTE: First, replace the values in bold.
For username and password values, specify the username and password of a user who is a member of the <
Prex
>-Diag-Admins
group.
$fqdn = "<adfs.contoso.com"
$dbServer = "<Prefix>SQLIN01\SQLIN01"
$dbUser = "username"
$dbPassword = "password"
$portalConfigStoreConnectionString = [string]::Format('Data Source={0};Initial
Catalog=Microsoft.MgmtSvc.PortalConfigStore;User ID={1};Password={2}', $dbServer, $dbUser,
$dbPassword)
Set-MgmtSvcRelyingPartySettings -Target Tenant `
-MetadataEndpoint https://$fqdn/FederationMetadata/2007-06/FederationMetadata.xml `
-ConnectionString $portalConfigStoreConnectionString `
-DisableCertificateValidation
3 Congure AD FS to trust the tenant portal.
As an AD FS administrator, run the following Windows PowerShell script on the server on which AD FS is installed. Replace the values
in bold. For more information, see Congure Active Directory Federation Services for Windows Azure Pack.
$tenantRelyingPartyName = "Management Service - Tenant Site - 2012"
$tenantPortalUrl = "
https://myfqdn:port"
$tenantRelyingPartyMetadataEndpoint = "$tenantPortalUrl/FederationMetadata/2007-06/
FederationMetadata.xml"
$identityProviderName = "Identity Provider Name – ex:Active Directory"
$transformationRules = (
"@RuleTemplate = ""LdapClaims"" @RuleName = ""UPN - LDAP"" c:[Type == ""http://
schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"", Issuer == ""AD
AUTHORITY""] => issue(store = ""Active Directory"", types = (""http://schemas.xmlsoap.org/ws/
2005/05/identity/claims/upn""), query = "";userPrincipalName;{0}"", param = c.Value);",
"@RuleTemplate = ""LdapClaims"" @RuleName = ""Groups - LDAP"" c:[Type == ""http://
schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"", Issuer == ""AD
AUTHORITY""] => issue(store = ""Active Directory"", types = (""http://schemas.xmlsoap.org/
claims/Group""), query = "";tokenGroups(domainQualifiedName);{0}"", param = c.Value);",
"@RuleTemplate = ""PassThroughClaims"" @RuleName = ""UPN - Passthrough"" c:[Type ==
""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn""] => issue(claim = c);",
"@RuleTemplate = ""PassThroughClaims"" @RuleName = ""Groups - Passthrough"" c:[Type
== ""http://schemas.xmlsoap.org/claims/Group""] => issue(claim = c);")
$issuanceRules = (
"=> issue(Type = ""http://schemas.microsoft.com/authorization/claims/permit"", Value
= ""true"");")
$impersonationRules = (
"c:[Type == ""http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"",
Issuer =~""^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"" ] =>
issue(store=""_ProxyCredentialStore"", types=(""http://schemas.microsoft.com/authorization/
claims/permit""),query=""isProxySid({0})"", param=c.Value );c:[Type == ""http://
schemas.microsoft.com/ws/2008/06/identity/claims/groupsid"", Issuer =~ ""^(AD AUTHORITY|SELF
AUTHORITY|LOCAL AUTHORITY)$"" ] => issue(store=""_ProxyCredentialStore"",types=(""http://
schemas.microsoft.com/authorization/claims/permit""),query=""isProxySid({0})"",
param=c.Value );c:[Type == ""http://schemas.microsoft.com/ws/2008/06/identity/claims/
42
Administration