Introduction
Active Directory Federation Services (AD FS) on Windows Server 2016 enables SAML 2.0-based Single Sign-On, allowing users to authenticate once against on-premises Active Directory and access cloud and partner applications without re-entering credentials. This guide covers configuring AD FS for SAML-based SSO integration.
Installing AD FS
Install the AD FS role and create a service certificate:
Install-WindowsFeature ADFS-Federation -IncludeManagementTools
# Create a certificate for the ADFS service name
$cert = New-SelfSignedCertificate -DnsName 'adfs.contoso.com' `
-CertStoreLocation Cert:LocalMachineMy `
-KeyUsage DigitalSignature,KeyEncipherment
Write-Host "Cert Thumbprint: $($cert.Thumbprint)"Configuring the AD FS Farm
Initialise the first AD FS server in a new federation farm:
$cert = Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -like '*adfs.contoso.com*'}
Install-AdfsFarm `
-CertificateThumbprint $cert.Thumbprint `
-FederationServiceDisplayName 'Contoso Corporate SSO' `
-FederationServiceName 'adfs.contoso.com' `
-ServiceAccountCredential (Get-Credential 'CONTOSOadfs-svc') `
-OverwriteConfigurationAdding a Relying Party Trust
Register a SAML application (relying party) with AD FS:
# Add relying party from federation metadata URL
Add-AdfsRelyingPartyTrust `
-Name 'MyCloudApp' `
-MetadataUrl 'https://myapp.example.com/saml/metadata' `
-AutoUpdateEnabled $true `
-Enabled $true
# Verify the trust was created
Get-AdfsRelyingPartyTrust -Name 'MyCloudApp' | Select-Object Name,Identifier,EnabledConfiguring SAML Claim Rules
Issue user attributes as SAML claims to the relying party application:
# Write claim rules to a file
$rules = @"
@RuleTemplate = "LdapClaims"
@RuleName = "Extract AD Attributes"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory",
types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"),
query = ";mail,givenName;{0}", param = c.Value);
"@
$rules | Set-Content C:ADFSRules.txt
Set-AdfsRelyingPartyTrust -TargetName 'MyCloudApp' -IssuanceTransformRulesFile C:ADFSRules.txtTesting the Federation Endpoint
Verify AD FS is operational and the federation metadata is accessible:
# Test metadata endpoint
Invoke-WebRequest -Uri 'https://adfs.contoso.com/federationmetadata/2007-06/federationmetadata.xml' `
-UseDefaultCredentials | Select-Object StatusCode
# Check AD FS service properties
Get-AdfsProperties | Select-Object HostName,HttpsPort,TlsClientPort
# Review event logs for errors
Get-EventLog -LogName 'AD FS/Admin' -EntryType Error,Warning -Newest 20Summary
AD FS on Windows Server 2016 provides enterprise-grade SAML 2.0 SSO. Once configured, users authenticate once against Active Directory and gain seamless access to any federated cloud or partner application. Combined with claim rules and monitoring, AD FS forms the identity federation backbone for hybrid and multi-cloud environments.
