Migrate Office 365 Relying Party Trust to Different ADFS Farm

To migrate Office 365 Relying Party Trust from an existing ADFS Farm to new ADFS Farm, follow the step by step guide. Migrating Office 365 Relying Party Trust will incur a minor disruption to SSO environment.

Prerequisites:

  • Existing ADFS Farm with FQDN sts.domain.com
  • New ADFS Farm with FQDN sts1.domain.com
  • Existing Certificate CN=sts.domain.com or a wildcard certificate
  • New certificate with CN=sts1.domain.com
  • New public IP address for the public CNAME sts1.domain.com
  • A public CNAME record sts1.domain.com
  • An internal CNAME record sts1.domain.com

Note: keep the existing AAD Connect unless you have a requirement to build a new one.

Here are the steps:

Step1: Verify AAD Connect Configuration

  • Open AAD Connect, View Sign-in Option.
  • Check AAD Connect Wizard to make sure you did not configure “Federation with ADFS” Sign-in option. If you have done so then run AAD Connect Wizard again and replace the certificate and ADFS farm details to new ADFS server sts1.domain.com

Step2: Build ADFS and WAP Servers

Build a new ADFS farm side by side with an existing ADFS farm. It would be redundant effort to write another blog. Please follow my previous blog to deploy ADFS and WAP.

Building Multiple ADFS Farms in a Single Forest

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part I

Branding and Customizing the ADFS Sign-in Pages

Step3: Test SSO

Log on to the https://sts.domain.com/adfs/ls/idpinitiatedsignon.aspx using on-premises credentials to make sure you can single sign-on.

Step4: Gather list of existing federated domains from existing ADFS Farm

Log on to the existing primary ADFS Server, Open PowerShell as an Administrator, execute the following cmdlets.

$cred=Get-Credential

Connect-MsolService –Credential $cred

Get-MsolDomain

Record a list of Federated Domains.

Step5: Update Office 365 RP within the new ADFS Farm

Log on to the new primary ADFS Server, Open PowerShell as an Administrator, execute the following cmdlets.

$cred=Get-Credential

Connect-MsolService –Credential $cred

Update-MsolFederatedDomain –DomaiName “Domain.com” –SupportMultipleDomain –Confirm  Execute Update-MsolFederatedDomain Cmdlets if you have additional federated domains such as DomainB.com

GetMsolDomain

Open ADFS Management Console, Make sure Office 365 RP has been created with necessary tokens and permissions. If necessary, clone all incoming and outgoing claims and permission from previous ADFS farm to new ADFS Farm and apply to the newly created Office 365 RP.

Step6: Test SSOOnce you have completed the Step5, wait for Microsoft to update their backend Identity and Federation systems. In my previous implementation work, it took 30 minutes the change to take effect.  Sign on to portal.office.com; you will be redirected to https://sts1.domain.com to authenticate. Once you have sign-in successfully, you have completed the migration work.

Step7: New AAD Connect Server (Optional)Check step1 before running AAD Connect Wizard and reconfigure sign-in options. If you need to change sign-in options, please follow the guide to change Sign-in Option.

Relevant Articles:

Upgrading AD FS to Windows Server 2016 FBL

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part II

Deploy Work Folder in Azure Cloud

The concept of Work Folder is to store user’s data in a convenient location. User can access the work folder from BYOD and Corporate SOE from anywhere. The work folder facilitate flexible use of corporate information securely from supported devices. The work folder can be deployed on-premises and in Azure Cloud. In this article, I will demonstrate how to deploy Work Folder in Azure. Before that, let’s start with application of Work Folder.

Applications of Work Folder in Corporate Environment

  • Provide a single point of access to work files from a user’s work and personal devices
  • Access the work files online and offline. While accessing offline, the data can be synced back to the Sync Server when the device connected to internet or intranet again
  • Deploy with existing deployments of Folder Redirection, Offline Files, and home folders
  • Use Windows File Server, SMB Share and other CIFS share for example NetApp CIFS share
  • Use file classification and folder quotas, to manage user data
  • Apply security policy and encryption to encrypt Work Folders and use a lock screen password
  • Use Microsoft Failover Clustering with Work Folders to provide a high-availability solution

Enhanced Functionality:

  • Azure AD Application Proxy support
  • Faster change replication
  • Integrated with Windows Information Protection (WIP)
  • Microsoft Office integration

Supported Environment:

  • NetApp CIFS, Windows File Server or Windows SMB Storage as the UNC path of Sync Share
  • Windows Server 2012 R2 or Windows Server 2016 for hosting sync shares with user files
  • A public certificate or internal certificate domain joined computer
  • Windows Server 2012 R2 level AD DS Schema
  • Windows 10 version 1703,
  • Android 4.4 KitKat and later
  • iOS 10.2 and later

Internal DNS records (CNAME records)

  • workfolders.domain.com pointed to syncserver1.domain.com and sycserver2.domain.com
  • sts.domain.com point to ADFS Servers
  • enterpriseregistration.domain.com pointed to ADFS servers

Internal DNS records (Host A Record)

  • syncserver1.domain.com
  • syncserver2.domain.com

Publishing Work Folder for mobile workforce

  • Access from Internet or use Azure Credentials
  • Web Application Proxy
  • Active Directory Federation Services (AD FS) with public DNS record sts.domain.com and enterpriseregistration.domain.com
  • A public DNS record i.e. CNAME = workfolders.domain.com
  • A public certificate from a public CA i.e. CN= workfolders.domain.com SAN=syncserver1.domain.com, syncserver2work.domain.com. There must be private key associated with the certificate which means the certificate must in pfx format before importing into the sync servers.

Deploy Work Folder Server

  1. Log on to Azure Portal, Deploy a Windows Server 2016 from Azure Marketplace. Since we will be using this VM for Sync Share. I would recommend selecting an L series VM which storage optimised VM.
  2. Once the VM is provisioned, attached premium data disk for high I/O and low latency file store.
  3. Build a Windows Server 2016, Configure TCP/IP and Join the server to the domain
  4. Remote into the server using domain admins credential. Open the Add Roles and Features Wizard.
  5. On the Select installation type page, choose Role-based or feature-based deployment.
  6. On the Select destination server page, select the server on which you want to install Work Folders.
  7. On the Select server roles page, expand File and Storage Services, expand File and iSCSI Services, and then select Work Folders.
  8. When asked if you want to install IIS Hostable Web Core, click Ok to install the minimal version of Internet Information Services (IIS) required by Work Folders.
  9. Click Next until you have completed the wizard.
  10. Repeat the steps for all Work Folder Servers.

Install Certificate on the Work Folder Server

  1. On the Windows server 2016 where you want to install the SSL certificate, open the Console.
  2. In the Windows start menu, type mmc and open it.
  3. In the Console window, in the top menu, click File > Add/Remove Snap-in.
  4. In the Add or Remove Snap-ins window, in the Available snap-ins pane (left side), select Certificates and then click Add
  5. In the Certificate snap-in window, select Computer account and then click Next
  6. In the Select Computer window, select Local computer: (the computer this console is running on), and then click Finish
  7. In the Add or Remove Snap-ins window, click OK.
  8. In the Console window, in the Console Root pane (left side), expand Certificates (Local Computer), right-click on the Web Hosting folder, and then click All Tasks > Import.
  9. In the Certificate Import Wizard, on the Welcome to the Certificate Import Wizard page, click Next.
  10. On the File to Import page, browse to and select the file that you want import and then, click Next.
  11. Notes: In the File Explorer window, in the file type drop-down, make sure to select All Files (*.*). By default, it is set to search for 509 Certificate (*.cert;*.crt) file types only.
  12. On the Private key protection page, provide the password when you exported the certificate, check Mark the Private Key exportable for future use, and check import all extended properties.
  13. On the Certificate Store page, do the following and then click Next, Select Place all certificates in the following store and click Browse.
  14. In the Select Certificate Store window, select Web Hosting and click OK.
  15. On the Completing the Certificate Import Wizard page, verify that the settings are correct and then, click Finish.
  16. Repeat the steps for all Work Folder Servers.

Bind the Certificate:

  1. Log on to a jump box where IIS Management Console is installed, Open IIS Management Console, Connect to Work Folder Server. Select the Default Web Site for that server. The Default Web Site will appear disabled, but you can still edit the bindings for the site and select the certificate to bind it to that web site.
  2. Use the netsh command to bind the certificate to the Default Web Site https interface. The command is as follows:

netsh http add sslcert ipport=<IP address of Sync Share Server>:443 certhash=<Cert thumbprint> appid={CE66697B-3AA0-49D1-BDBD-A25C8359FD5D} certstorename=MY

Create Active Directory Security Group

  1. You need minimum two AD security groups for Work Folder. One for Work Folder Admin and another for Work Folder Sync Share. For this article, let’s assume we have a Sync Share. We will create two Security Groups named FS-HRShareUser-SG and FS-HRShareAdmin-SG
  2. Make sure these security group scope is Global not Universal. In the Members section, click Add. The Select Users, Contacts, Computers, Service Accounts or Groups dialog box appears.

Create a Sync Share

  1. In Server Manager, click File and Storage Services, and then click Work Folders.
  2. A list of any existing sync shares is visible at the top of the details pane. To create a new sync share, from the Tasks menu choose New Sync Share…. The New Sync Share Wizard appears.
  3. On the Select the server and path page, specify where to store the sync share. If you already have a file share created for this user data, you can choose that share. Alternatively you can create a new folder.
  4. On the Specify the structure for user folders page, choose a naming convention for user folders within the sync share. Select either User alias or User alias@domain
  5. On the Enter the sync share name page, specify a name and a description for the sync share. This is not advertised on the network but is visible in Server Manager
  6. On the Grant sync access to groups page, specify the group that you created that lists the users allowed to use this sync share.
  7. On the Specify device policies page, specify whether to request any security restrictions on client PCs and devices. Select either Automatically lock screen, and require a password or Encrypt Work Folders based on your requirements.
  8. Review your selections and complete the wizard to create the sync share.

Setup a Tech Support Email Address

  1. In Server Manager, click File and Storage Services, and then click Servers.
  2. Right-click the sync server, and then click Work Folders Settings. The Work Folders Settings window appears.
  3. In the navigation pane, click Support Email and then type the email address or addresses that users should use when emailing for help with Work Folders. Click Ok when you’re

Publish Work Folder using ADFS Server

You can set up and configure the relying party trust for Work Folders, even though Work Folders hasn’t been set up yet. The relying party trust must be set up to enable Work Folders to use AD FS. Because you’re in the process of setting up AD FS, now is a good time to do this step.

To set up the relying party trust:

  1. Log on to ADFS Server. Open Server Manager, on the Tools menu, select AD FS Management.
  2. In the right-hand pane, under Actions, click Add Relying Party Trust.
  3. On the Welcome page, select Claims aware and click Start.
  4. On the Select Data Source page, select Enter data about the relying party manually, and then click Next.
  5. In the Display name field, enter WorkFolders, and then click Next.
  6. On the Configure Certificate page, click Next..
  7. On the Configure URL page, click Next.
  8. On the Configure Identifiers page, add the following identifier: https://workfolders.domain.com/V1. This identifier is a hard-coded value used by Work Folders, and is sent by the Work Folders service when it is communicating with AD FS. Click Next.
  9. On the Choose Access Control Policy page, select Permit Everyone, and then click Next.
  10. On the Ready to Add Trust page, click Next.
  11. After the configuration is finished, the last page of the wizard indicates that the configuration was successful. Select the checkbox for editing the claims rules, and click Close.
  12. In the AD FS snap-in, select the WorkFolders relying party trust and click Edit Claim Issuance Policy under Actions.
  13. The Edit Claim Issuance Policy for WorkFolders window opens. Click Add rule.
  14. In the Claim rule template drop-down list, select Send LDAP Attributes as Claims, and click Next.
  15. On the Configure Claim Rule page, in the Claim rule name field, enter WorkFolders.
  16. In the Attribute store drop-down list, select Active Directory.
  17. In the mapping table, enter these values:
    • User-Principal-Name: UPN
    • Display Name: Name
    • Surname: Surname
    • Given-Name: Given Name
  18. Click Finish. You’ll see the WorkFolders rule listed on the Issuance Transform Rules tab and click OK.
  19. In the AD FS snap-in, select the WorkFolders relying party trust, On the properties, choose the Encryption tab, Remove the certificate encryption
  20. Choose the Signature tab and make sure the Work Folder Certificate was imported
  21. Click Apply, Click Ok.

Set relying part trust options

These commands set options that are needed for Work Folders to communicate successfully with AD FS, and can’t be set through the UI. These options are:

  • Enable the use of JSON web tokens (JWTs)
  • Disable encrypted claims
  • Enable auto-update
  • Set the issuing of Oauth refresh tokens to All Devices.
  • Grant clients access to the relying party trust

Set-ADFSRelyingPartyTrust -TargetIdentifier “https://workfolders.domain.com/V1&#8221; -EnableJWT $true

Set-ADFSRelyingPartyTrust -TargetIdentifier “https://workfolders.domain.com/V1&#8221; -Encryptclaims $false

Set-ADFSRelyingPartyTrust -TargetIdentifier “https://workfolders.domain.com/V1&#8221; -AutoupdateEnabled $true

Set-ADFSRelyingPartyTrust -TargetIdentifier “https://workfolders.domain.com/V1&#8221; -IssueOAuthRefreshTokensTo AllDevices

Grant-AdfsApplicationPermission -ServerRoleIdentifier “https://workfolders.domain.com/V1&#8221; –AllowAllRegisteredClients

Enable Workplace Join

To enable device registration for Workplace Join, you must run the following Windows PowerShell commands, which will configure device registration and set the global authentication policy:

Initialize-ADDeviceRegistration -ServiceAccountName domain\svc-adfsservices$

Set-ADFSGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true

Set up AD FS authentication

To configure Work Folders to use AD FS for authentication, follow these steps:

  1. Log on to Sync Share Server. Open Server Manager.
  2. Click Servers, and then select your Work Folders server in the list.
  3. Right-click the server name, and click Work Folders Settings.
  4. In the Work Folder Settings window, select Active Directory Federation Services, and type in the ADFS URL. Click Apply. In the test example, the URL is https://sts.domain.com.

Publish the Work Folders web application

The next step is to publish a web application that will make Work Folders available to clients. To publish the Work Folders web application, follow these steps:

  1. Import Work Folder Certificate into WAP Servers
  2. Open Server Manager, and on the Tools menu, click Remote Access Management to open the Remote Access Management Console.
  3. Under Configuration, click Web Application Proxy.
  4. Under Tasks, click Publish. The Publish New Application Wizard opens.
  5. On the Welcome page, click Next.
  6. On the Preauthentication page, select Active Directory Federation Services (AD FS), and click Next.
  7. On the Support Clients page, select OAuth2, and click Next.
  8. On the Relying Party page, select Work Folders, and then click Next. This list is published to the Web Application Proxy from AD FS.
  9. On the Publishing Settings page, enter the following and then click Next, use these values:
  1. The confirmation page shows the Windows PowerShell command that will execute to publish the application. Click Publish.
  2. On the Results page, you should see the application was published successfully.

Configure Work Folders on the client

To configure Work Folders on the non-domain join client machine, follow these steps:

  1. On the client machine, open Control Panel and click Work Folders.
  1. Click Set up Work Folders.
  1. On the Enter your work email address page, enter either the user’s email address (for example, user@domain.com) or the Work Folders URL (in the test example, https://workfolders.domain.com), and then click Next.
  2. If the user is connected to the corporate network, the authentication is performed by Windows Integrated Authentication. If the user is not connected to the corporate network, the authentication is performed by ADFS (OAuth) and the user will be prompted for credentials. Enter your credentials and click OK.
  3. After you have authenticated, Click Next.
  4. The Security Policies page lists the security policies that you set up for Work Folders. Click Next.
  5. A message is displayed stating that Work Folders has started syncing with your PC. Click Close.
  6. The Manage Work Folders page shows the amount of space available on the server, sync status, and so on. If necessary, you can re-enter your credentials here. Close the window.
  7. Your Work Folders folder opens automatically. You can add content to this folder to sync between your devices.

To configure Work Folders on the domain joined client machine, follow these steps:

  1. Configure using GPO, use Go to User Configuration > Administrative Templates > Windows Components > Work Folders > Specify Work Folders settings.
  2. Specify Work Folder URL as workfolders.domain.com
  3. Apply the GPO to selected OU.

Relevant Article:

Work Folder FAQ

NetApp CIFS shares not mounting to Windows Server 2012

 

ADFS 4.0 Step by Step Guide: Federating with Splunk Cloud

To integrate On-Premises SSO with Splunk Cloud, you need the following items:

  • An administrative account in your ADFS
  • An administrative account in your Windows Active Directory
  • An administrative account for your Splunk Cloud instance or tenant.

Step1: Create Security Groups

  1. Sign into Domain Controller
  2. Open Active Directory Users and Computers
  3. Create two security groups named, SG-SplunkAdmin and SG-SplunkUsers

Step2: Download IdP (ADFS 2016) Metadata

  1. Log into the ADFS 2016 server or an admin PC.
  2. Open a browser and type metadata URL https://ADFSServer1.domain.com/federationmetadata/2007-06/federationmetadata.xml
  3. Download and save the metadata as IdP metadata.

Step3: Download Splunk Metadata

  1. Login to Splunk Cloud instance using administrator credentials.
  2. Download metadata from your instance of Splunk Cloud or This can be obtained by, once logged into a session as an admin role user, entering the URL https://yourinstance.splunkcloud.com/saml/spmetadata into your browser’s URL field.
  3. Download and save the metadata as SP metadata

Step4: Extract Splunk certificate from metadata

  1. Open Splunk metadata XML file in a notepad, Search “X509Certificate” in the metadata. Copy the everything starting from XML tags from ‘<ds:X509Certificate>‘ to ‘</ds:X509Certificate>‘.
  2. Open a new notepad and paste the content into the notepad. Place a row above the certificate with the text —–BEGIN CERTIFICATE—– and a row below the certificate with the text —–END CERTIFICATE—–
  3. Save the notepad as a .cer
  4. The file will look like this one but with more hexadecimal character

—–BEGIN CERTIFICATE—–

MIIEsjCCA5qgAwIBAgIQFofWiG3iMAaFIz2/Eb9llzANBgkqhkiG9w0BAQsFADCB

sjFuz4DliAc2UXu6Ya9tjSNbNKOVvKIxf/L157fo78S1JzLp955pxyvovrsMqufq

YBLqJop4

—–END CERTIFICATE—–

Step5: Create a Relying Party Trust

  1. Log into the ADFS 2016 server and open the management console.
  2. Right-click Service>Relying Party Trusts>Select Add Relying Party Trust from the top right corner of the window.
  3. Click Claims aware>Click Start
  4. Click Import Data about the relying party
  5. Browse the location where you saved Splunk metadata, select metadata, and Click Next
  6. Type the Display Name as SplunkRP, Click Next
  7. Ensure I do not want to configure multi-factor authentication […] is chosen, and click Next
  8. Permit all users to access this relying party.
  9. Click Next and clear the Open the Claims when this finishes check box.
  10. Close this page. The new relying party trust appears in the window.
  11. Right-click on the relying party trust and select Properties.
  12. On the properties, choose the Encryption tab, Remove the certificate encryption
  13. Choose the Signature tab and make sure the Splunk Certificate was imported
  14. Select to the Advanced tab and set the Secure hash algorithm to SHA-1.
  15. Click into the Identifiers tab. The default Relying party identifier for Splunk came in from the metadata file as ‘splunkEntityId’. Remove Default one. Add new entity ID splunk-yourinstance
  16. Under the Endpoints tab, make sure the Consumer Endpoints is https://yourinstance.splunkcloud.com/saml/acs  with a Post binding and index 0
  17. Under the Endpoints tab, make sure the make sure the Logout Endpoints is https://yourinstance.splunkcloud.com/saml/logout with a Post binding
  18. Click Apply, Click Ok.

Step6: Add Claim Rule for the Relying Party

  1. Log into the ADFS server and open the management console.
  2. Right-click on the Splunk relying party trust and select Edit Claim Rules.
  3. Click the Issuance Transform Rules tab.
  4. Click Add Rules. Add a Rule Type the Name as Rule1
  5. Ensure Send LDAP Attributes as Claims is selected, and click Next
  6. Select the below details

Claim Rule Name =  Rule1

Attribute Store = Active Directory

LDAP Attribute Outgoing Claim Type
Display-Name realName

 

Token-Groups – Unqualified Names Role
E-Mail-Addresses mail
  1. Click Finish. Click Apply
  2. Click Add Rules. Add a Rule Type the Name as  Rule2
  3. Ensure Transform an Incoming Claim is selected, and click Next
  4. Select the below details
Claim Rule Name Rule2

 

Incoming claim type UPN

 

Incoming NameID format Unspecified
Outgoing Claim Type Name ID
Outgoing name ID format Transient Identifier
  1. Click Finish. Click Apply

Step7: Import Splunk Certificate into ADFS Server

  1. Sign into ADFS Server, Open Command Prompt as an Administrator, type MMC.exe
  2. Click File, Click Add/Remove Snap-in
  3. Click Certificates, Click Computer Account
  4. Right Click on Trusted People>All Tasks>Import Certificate
  5. Browse the location of certificate and import
  6. Close MMC.
  7. Repeat these steps in all ADFS Servers in your farm.

Step8: Setup SigningCertificateRevocationCheck to None

Sign into primary ADFS, open PowerShell as an administrator, type the following and hit enter.

Set-ADFSRelyingPartyTrust -TargetName “SplunkRP” -SigningCertificateRevocationCheck None

Step9: Configure SplunkCloud in your instance

  1. On the Splunk instance as an Admin user, choose Settings->Access Controls->Authentication Method.  Choose SAML then click on the Configure Splunk to use SAML’ button.
    within the SAML Groups setup page in Splunk, click on the SAML Configuration button in the upper right corner.
  2. The SAML Configuration popup window will appear. Click on Select File to import the XML Metadata file (or copy and paste the contents into the Metadata Contents textbox) and click Apply.
  3. The following fields should be automatically populated by the metadata:
    Single Sign On (SSO) URL
    Single Log Out (SLO) URL
    idP’s Certificate file
    Sign AuthnRequest (checked)
    Sign SAML response (checked)
    Enter in the Entity ID as splunk-yourinstance as was used in ADFS RP Identifier property of the ADFS configuration.
  4. Scroll down to the ‘Advanced Settings‘ section.
    Enter in the Fully Qualified Domain Name (FQDN) of the Splunk Cloud instance – ‘https://yourinstance.splunkcloud.com
    Enter a ‘0‘ (zero) for the Redirect port – load balancer’s port.
    Set the Attribute Alias Role to ‘http://schemas.microsoft.com/ws/2008/06/identity/claims/role’
    It may also be necessary to set an Attribute Alias for ‘Real Name’ and ‘Mail’ – but not all implementations require these settings. Click Save to Save the configuration:
  5. The next step is set up the SAML groups. Within the Splunk ‘Settings->Access Controls->Authentication Method->SAML Settings‘ page, click the green “New Group” button
  6. Enter a group name that associates with ADFS Active Directory passed group names, some examples follow
Group Name (Type this name on New Group Properties ) Splunk Role (Select from Available Roles) Active Directory Security Group
SG-SplunkAdmin Admin SG-SplunkAdmin
SG-SplunkUsers User SG-SplunkUsers
  1. Click Save.

Step10: Testing SSO

  1. To test SSO, visit  https://yourinstance.splunkcloud.com/en-US/account/login?loginType=splunk  You will be redirected to ADFS STS Signing Page. Enter your on-premises email address and password as the credential.  You should be redirected back to Splunk Cloud.
  2. Also test logging out of Splunk, you should be re-directed to the Splunk SAML logout page.

 

ADFS 4.0 Step by Step Guide: Federating With Google Apps

To integrate On-Premises SSO with Google Apps, you need the following items:

Step1: Export ADFS Token Signing Certificate

  1. Log into the ADFS 2016 server and open the management console.
  2. Right-click Service>Certificate
  3. Right-click the certificate and select View Certificate.
  4. Select the Details tab.
  5. Click Copy to File. The Certificate Export Wizard opens.
  6. Select Next. Ensure the No, do not export the private key option is selected, and then click Next.
  7. Select DER encoded binary X.509 (.cer), and then click Next.
  8. Select where you want to save the file and give it a name. Click Next.
  9. Select Finish.

Step2: Download Google Certificate

  1. Login to Google Admin console with administrator permission to add new apps.
  2. Go to Apps > SAML Appsand click “+” at the right bottom of the page to add a new SAML IDP (“Enable SSO for SAML Application”).
  3. Select the “Setup my own custom app” at the bottom of the window. You will see the “Google IdP Information” page. Click Download button to retrieve google certificate.

Step3: Create a Relying Party Trust

  1. Log into the ADFS 2016 server and open the management console.
  2. Right-click Service>Relying Party Trusts>Select Add Relying Party Trust from the top right corner of the window.
  3. Click Claims aware>Click Start
  4. Click Enter Data about the relying party manually
  5. Give it a display name such as GoogleApps>Click Next>Click Next
  6. On the Configure URL Page, Check Enable support for the SAML 2.0 WebSSO protocol and type  https://www.google.com/a/domain.com/acs, Click Next
  7. On the Configure RP Identifier Page, type the identifiers: google.com/a/domain.com, Click Add
  8. Ensure I do not want to configure multi-factor authentication […] is chosen, and click Next
  9. Permit all users to access this relying party.
  10. Click Next and clear the Open the Claims when this finishes check box.
  11. Close this page. The new relying party trust appears in the window.
  12. Right-click on the relying party trust and select Properties.
  13. Select to the Advanced tab and set the Secure hash algorithm to SHA-256.
  14. Under the Endpoints tab, click Add SAML Logout with a Post binding and a URL of https://sts.domain.com/adfs/ls/?wa=wsignout1.0
  15. Select to signature tab, Click Add.. Import the google certificate, you have exported from Google admin console. Click Apply, Click Ok.

Step4: Add Claim Rule for the Relying Party

  1. Log into the ADFS server and open the management console.
  2. Right-click on the GoogleApps relying party trust and select Edit Claim Rules.
  3. Click the Issuance Transform Rules tab.
  4. Click Add Rules. Add a Rule Type the Name as GoogleApps Rule
  5. Ensure Send LDAP Attributes as Claims is selected, and click Next
  6. Select the below details
  • Claim Rule Name =  Send Email Address As NameID
  • Attribute Store = Active Directory
  • LDAP Attribute = E-mail-Addresses
  • Outgoing Claim Type = Name-ID
  1. Click Finish. Click Apply

Step5: Configure Google Apps in Admin Console

  1. Sign into the Google Apps Admin Console using your administrator account.
  2. Click Security. If you don’t see the link, it may be hidden under the More Controls menu at the bottom of the screen.
  3. On the Security page, click Setup single sign-on (SSO).
  4. Perform the following configuration changes:
  1. In Google Apps, for the Verification certificate, replace and upload the ADFS token signing certificate that you have downloaded from ADFS.
  2. Click Save Changes.

Step6: Testing SSO

To test SSO, visit http://mail.google.com/a/domain.com.  You will be redirected to ADFS STS Signing Page. Enter your on-premises email address and password as the credential.  You should be redirected back to Google Apps and arrive at your mailbox.

ADFS 4.0 Step by Step Guide: Federating with ServiceNow

Prerequisites:

Step1: Export Token Signing Certificate

  • Log into the ADFS 2016 server and open the management console.
  • Right-click Service>Certificate
  • Right-click the certificate and select View Certificate.
  • Select the Details tab.
  • Click Copy to File. The Certificate Export Wizard opens.
  • Select Next.Ensure the No, do not export the private key option is selected, and then click Next.
  • Select DER encoded binary X.509 (.cer), and then click Next.
  • Select where you want to save the file and give it a name. Click Next.
  • Select Finish. The instance requires that this certificate be in PEM format. You can convert this certificate using client tools or even online tools such as: SSL Shopper.
  • Use the DER/Binary certificate that you just created, and export it in Standard PEM format.
  • Right Click on the exported certificate>Edit with Notepad
  • Copy everything from Begin Certificate to End Certificate including —– and Paste in Service Now when needed.

—–BEGIN NEW CERTIFICATE REQUEST—–

/DY5HA/Cz5fElf4YTQak8PZMmCcndgPA==

—–END NEW CERTIFICATE REQUEST—–

Step2: Create a Relying Party Trust

  • Log into the ADFS 2016 server and open the management console.
  • Right-click Service>Relying Party Trusts>Select Add Relying Party Trust from the top right corner of the window.
  • Click Claims aware>Click Start
  • Click Enter Data about the relying party manually
  • Give it a display name such as ServiceNow>Click Next>Click Next>Click Next
  • Enter the instance site to which you connected as the Relying Party trust identifier. In this case use https://company.service-now.com and click Add.
  • Permit all users to access this relying party.
  • Click Next and clear the Open the Claims when this finishes check box.
  • Close this page. The new relying party trust appears in the window.
  • Right-click on the relying party trust and select Properties.
  • Browse to the Advanced tab and set the Secure hash algorithm to SHA-1.
  • Browse to the Endpoints tab and add a SAML Assertion Consumer with a Post binding and a URL of https://company.service-now.com/navpage.do
  • Under the Endpoints tab, click Add SAML Logout with a Post binding and a URL of https://sts.domain.com/adfs/ls/?wa=wsignout1.0

Step3: Add Claim Rule

  • Log into the ADFS server and open the management console.
  • Right-click on the ServiceNow relying party trust and select Edit Claim Rules.
  • Click the Issuance Transform Rules tab.
  • Select Add Rules. Add Custom Rule Type the Name as ServiceNow Rule, Copy and Paste the below rule.

Rule#1

c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname&#8221;, Issuer == “AD AUTHORITY”]

=> issue(store = “Active Directory”, types = (“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier&#8221;, “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname&#8221;, “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress&#8221;), query = “;userPrincipalName,sAMAccountName,mail;{0}”, param = c.Value);

Rule#2

c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”%5D

=> issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier&#8221;,

Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType,

Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format”%5D

= “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”);

Step4: Activate SSO in ServiceNow

  • Sign-on to your ServiceNow application as an administrator.
  • Activate the Integration – Multiple Provider Single Sign-On Installer plugin by following the next steps:
  • In the navigation pane on the left side, go to System Definition section and then click Plugins.
  • Search for Integration – Multiple Provider Single Sign-On Installer.
  • Select the plugin. Rigth click and select Activate/Upgrade.
  • Click the Activate
  • In the navigation pane on the left side, click Properties.
  • On the Multiple Provider SSO Properties dialog, perform the following steps:
  • As Enable multiple provider SSO, select Yes.
  • As Enable debug logging got the multiple provider SSO integration, select Yes.
  • In The field on the user table that… textbox, type user_name.
  • Click Save.

Step5: Import Certificate in ServiceNow

  • In the navigation pane on the left side, click x509 Certificates.
  • On the 509 Certificates dialog, click New.
  • On the 509 Certificates dialog>Click New.
  • In the Name textbox, type a name for your configuration (e.g.: 0).
  • Select Active.
  • As Format, select PEM.
  • As Type, select Trust Store Cert.
  • Open your Base64 encoded certificate in notepad, copy the content of it into your clipboard, and then paste it to the PEM Certificate
  • Click Update.

Step6: Configure IdP provider

  1. In the navigation pane on the left side, click Identity Providers.
  2. On the Identity Providers dialog, click New:
  3. On the Identity Providers dialog, click SAML2 Update1?:
  4. On the SAML2 Update1 Properties dialog, perform the following steps:
  • in the Name textbox, type a name for your configuration (e.g.: SAML 2.0).
  • In the User Field textbox, type email or user_name, depending on which field is used to uniquely identify users in your ServiceNow deployment.
  • copy the Identity Provider ID value http://sts.domain.com/adfs/ls, and then paste it into the Identity Provider URL textbox
  • copy the Authentication Request URL value http://sts.domain.com/adfs/ls, and then paste it into the Identity Provider’s AuthnRequest
  • copy the Single Sign-Out Service URL value https://domain.com/adfs/ls/?wa=wsignout1.0, and then paste it into the Identity Provider’s SingleLogoutRequest textbox.
  • In the ServiceNow Homepage textbox, type the URL https://company.service-now.com/navpage.do of your ServiceNow instance homepage
  • In the Entity ID / Issuer textbox, type the URL https://company.service-now.com/of your ServiceNow tenant.
  • In the Audience URL textbox, type the URL https://company.service-now.com/ of your ServiceNow tenant.
  • In the Protocol Binding for the IDP’s SingleLogoutRequest textbox, type urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect.
  • In the NameID Policy textbox, type urn:oasis:names:tc:SAML:1.1:nameid-format:emailaddress.
  • Deselect Create an AuthnContextClass (By deselecting this option, you have created SP-Initiated SSO)
  • In the AuthnContextClassRef Method, Since you are using on-premises ADFS or MFA for authentication then you should not configure this value.
  • In Clock Skew textbox, type 60.
  • As Single Sign On Script, select MultiSSO_SAML2_Update1.
  • As x509 Certificate, select the certificate you have created in the previous step.
  • Click Submit.

Testing Single Sign On:

IdP Initiated Signon Redirect:

To create a direct link so users do not need to select from a drop down list, browse to https://sts.domain.com/adfs/ls/idpinitiatedsignon.aspx?logintoRP=https://company.service-now.com

SP-Initiated Signon:

https://company.service-now.com/navpage.do

Configure Azure B2B, Azure Rights Management for on-premises SharePoint, Exchange and File server

Azure Information Protection (Azure RMS) is an enterprise information protection solution for any organization. Azure RMS provides classification, labeling, and protection of organization’s data.

Note: This deployment also enables Azure B2B access for the Published Applications in Azure AD.

Azure Prerequisites

  • A subscription that includes Azure Information Protection. For example, PAYG, EA or E5
  • A global administrator account (@domain.onmicrosoft.com) to sign in to the Azure portal

Minimum On-premises Prerequisites

  • An operational Active Directory Federation Services
  • An operational Azure Active Directory Connect
  • An Active Directory Domain Controller
  • An RMS Connector Server
  • RMS Client version 2.1 or above installed on the SharePoint or File Server or Exchange Server
  • Azure Information Protection for Microsoft Office 2016
  • A matching UPN (dmain.com) which has been federated to Azure AD
  • Publicly routable domains name (domain.com)
  • Publicly routable DNS Records (spirm.domain.com, sts.domain.com)
  • Public certificates with SAN or an wild card certificate
  • Public certificate must have private key or PFX format
  • An operational SharePoint or File Server or Exchange Server to be protected by Azure RMS

Deploy On-prem Infrastructures:

  1. Register and verify domain.com to Azure ARM Portal
  2. Install and configure Active Directory Federation Services
  3. Install and configure Web Application Proxy Server
  • Install and configure Azure Active Directory Connect. AAD Connect installation pretty straight forward. To use Azure RMS you have to select three extra steps in AAD Connect. Either you can modify existing configuration to the below or if you are installing from scratch then you have to select an additional features. To provide the RMS functionality to synced users, Azure RMS has been selected in AAD Connect Wizard along with the Azure AD Apps.
  • On the AAD Connect Installation Page, click Customize to start a customized settings installation.
  • On User Signin Page Select Federation With ADFS.
  • On the Optional feature Page, Select Azure AD App and Attribute Filtering. Make sure you select all features which include Azure RMS
  1. Activate Azure RMS
  • Sign to Azure Portal using a Global Admin user (@domain.onmicrosoft.com)
  • Open Azure Information Protection, Click RMS Settings, Click Activate.
  1. If you are protecting SharePoint Server then you have to the additional steps on ADFS Server and SharePoint Server mentioned below.

Internal CNAME DNS record:

  • domain.com pointed to ADFS Server
  • domain.com pointed to SP Server
  • domain.com pointed to RMS Connector Server

ADFS Configuration:

Add a Claim Provider Trust using Wizard, type the name of the Claim Provider as “AzureAD” Select the URL to import metadata from https://login.microsoftonline.com/domain.onmicrosoft.com/federationmetadata/2007-06/federationmetadata.xml

Right Click on the the Azure AD Claim Provider, Edit Claim Rule and Add a custom claim rule

c:[]  => issue(claim = c);

 Add SharePoint 2013/2016 as a Relying Party Trust with the below properties:

Method to Add RP: Manual

Name: SP

RP Identifier: urn:sharepoint:domain

Enable WS-Federation and provide the following passive reply url: https://spirm.domain.com /_trust/

 Add two Claim Rules

UPN Claim Rule

c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name”%5D
 => issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn&#8221;, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

B2B User Claim Rule

c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”%5D
 => issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn&#8221;, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

Specify AzureAD as SharePoint 2013 Claim Provider

Set-AdfsRelyingPartyTrust -TargetName “SP”  -ClaimsProviderName @(“AzureAD”)

Specify Claim Provider for Internal Users:

Set-AdfsProperties -IntranetUseLocalClaimsProvider $true

Add Azure Web Application:

Log on to portal.azure.com, Click Azure AD, On the App registration section, Register an Azure Web Application using the below parameter:

Grant Access to Azure AD user and B2B User to this Application

  • Sign in to the Azure Active Directory admin center with an account that’s a global admin for the directory.
  • Select Azure Active Directory and then Users and groups.
  • On the Users and groups blade, select All users, and then select New Guest user.
  • Go back to newly registered App, Assign access permission to the guest user

Assign RMS Licenses to Azure B2B users:

Connect-MsolService

$AccountSkuId = “domain:ENTERPRISEPACK”

$UsageLocation = “AU”

$Users = Import-Csv c:\temp\userlist.csv

$Users | ForEach-Object {

Set-MsolUser -UserPrincipalName $_.UserPrincipalName -UsageLocation $UsageLocation

Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -AddLicenses $AccountSkuId

}

Where userlist.csv contain userprincipal name or B2B username in first column. Further references.

Azure Licenses for B2B user https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-licensing

Configure Right Management Connector

  • Download Rights Management Connector on the server where you are going to install the Connector.
  • Create a Service account in Windows Active Directory with federated UPN SVCRMS@domain.com
  • SVCRMS@domain.com is AAD Synced Account.
  • Open AD users and Computers, Add SVCRMS@domain.com as a member of domain admins group.
  • Sign into Azure Portal, Assign SVCRMS@domain.com as global admin, Azure RightsManagement global administrator
  • On the computer on which you want to install the RMS connector, run exe with Administrator privileges. When prompted for credential use SVCRMS@domain.com account and alphanumeric password.

Note: do not install RMS connector on Exchange, File and SharePoint Server.

SharePoint Specific Configuration: Reference1 and reference2

Add-PSSnapIn Microsoft.SharePoint.PowerShell

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“c:\ADFSCertificates\STSTokenSigning.cer”)

New-SPTrustedRootAuthority -Name “Token Signing Cert” -Certificate $cert

$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming

$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming

$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “Role” -SameAsIncoming

$sidClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid” -IncomingClaimTypeDisplayName “SID” -SameAsIncoming

$realm = “urn:sharepoint:dealdocs”

$signInURL = “https://sts.dealdocs.com/adfs/ls/”

$ap = New-SPTrustedIdentityTokenIssuer -Name “ADFS” -Description “AD Federation Server” -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $emailClaimMap,$upnClaimMap,$roleClaimMap,$sidClaimMap -SignInUrl “https://sts.dealdocs.com/adfs/ls/” -IdentifierClaim $emailClaimmap.InputClaimType

Download and run GenConnectorConfig.ps1  the below command on SP Server. This command automate changes in registry values.

.\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetSharePoint2013

Configure RMS Connector for SharePoint Server

  1. On the SharePoint Central Administration Web site, in the Quick Launch, click Security.
  2. On the Security page, in the Information Policy section, click Configure information rights management.
  3. On the Information Rights Management page, in the Information Rights Management section, select Use this RMS server type https://rmsconnector.domain.com).
  4. Click OK.
  5. Next step Add users to SharePoint Library

For Exchange Server, Download and run GenConnectorConfig.ps1  on Exchange Server

.\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetExchange2013

Run the below command in Exchange Server

Set-IRMConfiguration -InternalLicensingEnabled $true

For File Server Download and run GenConnectorConfig.ps1  on File Server

.\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetFCI2012

Create classification rules and file management tasks to protect documents with RMS Encryption.

Testing:

  • Download Azure Information Protection  and protect a document for B2B user
  • Upload the document into SharePoint Library
  • Request the B2B user to access from the invitation you have sent.

Office 365 Hybrid Deployment with Multiple Active Directory Forests

This article explains how you can deploy a hybrid Office 365 and Exchange on-premises environment with multiple Active Directory Forest. An organisation that utilizes an account forest and a resource forest to separate Active Directory accounts and Exchange servers in a single forest, aren’t considered as multiple AD Forest. Let’s say Company A (DomainA.com) bought Company B (DomainB.com). Company A has an Office 365 tenant with default domain domainA.onmicrosoft.com. Now Company A wishes to migrate Company B mailboxes into the Office 365 tenant but maintains the hybrid environment.

Here is the infrastructure you should consider.

AD Forest 1 AD Forest 2
On-prem Forest Corp.DomainA.com Corp.DomainB.com
Email Domain or Externally Routable NameSpace DomainA.com DomainB.com
Externally Routable Autodiscover CNAME Autodiscover.DomainA.com Autodiscover.DomainB.com
Default Domain in Office 365 Tenant domainA.onmicrosoft.com domainA.onmicrosoft.com
On-Prem Exchange Server Version Exchange 2013 SP1 or later Exchange 2013 SP1 or later
On-prem Certificate Issued by Public CA

CN= mail.DomainA.com

SAN=Autodiscover.DomainA.com

Issued by Public CA

CN= mail.DomainB.com

SAN=Autodiscover.DomainB.com

To configure a hybrid environment for a multi-forest organization, you’ll need to complete the basic steps below:

  1. Create Two-Way Trust Relationship between on-premises Corp.DomainA.com and On-premises Corp.DomainB.com if Trust relationship is not already established.
  2. Make sure you have correct public certificates for both Exchange Organisation.
  3. Build AAD Connect Server in Corp.DomainA.com Domain. AD Synchronisation occurs Corp.DomainA.com domain. you do not need to add another AAD Connect server in domainB.com domain. Run custom AAD Connect wizard and use domain filter and select both domains to sync to Azure AD.
  4. Build ADFS Farm in Corp.DomainA.com Domain. You use either AD FS or password sync to allow for a seamless user authentication experience for both domains.
  5. Add domain and verify both domains in Office 365 tenant. Setup both domain in Office tenant as an Internal Relay Domain
  6. Run Hybrid Configuration wizard in both Forest. Select both domains whilst running HCW.  For Centralized MailFlow Configuration of both domains, you must retain your existing MX record. Add EOP in your SPF record for the both domains. If you do not wish to configure Centralized MailFlow then point MX record to the EOP record of Exchange Online.

AAD Connect Recommendations:

  • Separate Topology – This topology might be the situation after a merger/acquisition or in an organization where each business unit operates independently. These forests are in the same organization in Azure AD and appear with a unified GAL.

In AAD Connect Wizard Select “Users are only once across all forests” and Mail Attribute.

  • Full Mesh- A full mesh topology allows users and resources to be located in any forest. Commonly, there are two-way trusts between the forests.

In AAD Connect Wizard Select “Users identities exist across multiple forests” and Mail Attribute.

Hybrid with Multiple Forest  Recomendations:

  • Having a single tenant in Azure AD for an organization
  • Having a single ADD connect server for an organisation
  • Having a unique Active Directory object for an organisation. Each unique object is synced into the Azure AD for once only.
  • Having a single on-prem namespace (UPN: domainA.com, domainB.com) to match the registered domain in Azure AD.
  • Having a single namespace associated with an user or an object
  • Having all email domains registered in a single tenant
  • Having a single AAD Connect and ADFS Farm in a same forest if “Federation with ADFS” is selected in AAD Connect custom installation Wizard

Relevant Article:

Office 365 Hybrid Deployment with Exchange 2016 Step by Step