Tencent Cloud's Guide to ADFS single sign-on

Last updated: 2020-03-26 13:34:31

PDF

Operation scene

Active Directory Federation Services (ADFS) is a Windows Server activity launched by Microsoft's Directory joint service (ADFS). ADFS is a new technology that can be used for multiple Web application users Verification in the process of Session. Tencent Cloud supports federated authentication based on SAML 2.0 (Security Assertion Markup Language (SAML) 2.0), an open standard used by many authentication providers (Identity Provider, IdP). You can integrate ADFS with Tencent Cloud based on SAML 2.0 federated authentication to achieve automatic ADFS account login (single sign-on) Tencent Cloud console to manage Tencent Cloud's resources without having to create a CAM sub-user for every member of the enterprise or organization.

prerequisite

  • Entered the Server Management-Dashboard page.
  • Have a domain name that has been completed by Identity verification.

Operation step

Install AD Domain Services and DNS Services

  1. On the dashboard management page, click "add roles and Features", keep the default information on the page, and click "next" all the time to go to the add roles and Features wizard page.

  2. On the add roles and Features wizard page, keep the default information on the page, and always click "next". Check Active Directory domain service and DNS server in the server role information bar.

  3. Keep the default information on the page, always click "next", and click "install". On the successful installation screen, click in the upper right corner Or on the installation completion interface.

  4. Click "promote to Domain Controller" to go to the deployment configuration page, Enter domain name. The example in this article is: example.com.

  5. Click [next], and after the installation is complete, enter the password. Keep the default information on the page and keep clicking next.

  6. Click "install", and restart the server after the installation is complete.

  7. Complete the installation of AD domain service and DNS service, and upgrade the server to domain controller.

Install Web server

  1. Refer to install AD Domain Services and DNS Services Step 2 Go to the server role page and select Web server in the server role information bar
    1. Keep the default information on the page, and click next-> install to complete the installation of the Web server.

Apply for a certificate

If you already own SSL Certificates Service, you can do it directly. Install ADFS Operation.

  1. Click [Windows icon] in the lower left corner, enter the "mmc" command in the search box, enter and enter the console 1- [ Console root node] page.

  2. On console 1- [ On the console root node page, click File-> add / remove snap-ins, select a certificate in the pop-up window, and click add-> finish.

  3. Click [Certificate], In show more's Directory, right-click personal, and click all job-> Advanced Operations-> create Custom request.

  4. Keep the default information of the page, always click "next" to enter the certificate registration page, and click "continue without using enrollment Policy".

  5. On the custom request page, select the following information

  • Template: (no template) just the key
  • Request format: PKCS#10
  1. Click details-> Certificate Properties, and add the friendly name and description information in the general column.

  2. In the user bar, Enter value information. This example is ( * .example.com), click "add",

  3. Check Microsoft RSA SChanel Cyptograhic Provider (encryption under the private key bar to make the private key Export.

  4. Click OK-> next, select the Directory you want to save, save the certificate, and click finish.

Install ADC (AD Certificate Server)

  1. Refer to install AD Domain Services and DNS Services Step 2 Check the Active Directory certificate server in the server role information bar
  2. Keep the default information, click "next" all the time, and check Certificate Authority and Certificate Authority Web enrollment in the role Services bar.
  3. Click "install", and on the successful installation screen, click on the upper right corner. Click configure Active Directory Certificate Service for the target server.
    1. Keep the default information on the page, always click "next", and check Certificate Authority and Certificate Authority Web enrollment in the role service bar.
    2. Keep the default information of the page, always click "next", and click "configure" to complete the installation of ADC.

Generate SSL Certificates Service

  1. Access http://localhost/certsrv, click "apply for Certificate".

  2. On the request for a certificate page, click "Advanced Certificate request".

  3. On the Advanced Certificate request page, click * * submit a certificate request using a base64-encoded CMC or PKCS#10 file, or renew a certificate request using an base64-encoded KCS#7 file].

  4. Copy the contents of the certificate file saved by the application certificate and add it to the following input box. Select the Web server for the certificate template, and click submit.

  5. If the application is successful, click "download" (both formats need to be downloaded) .

  6. Refer to the Step 3 Right-click personal, and click all job-> Import.

  7. Select Step 5 Save the certificate file, keep the default information on the page, and always click "next" > "finish".

  8. Refer to the Step 3 , right-click [personal], and click [all job] > [Export].

    1. On the Certificate Export wizard page, select "Yes, Export Private key", check "Group or user name (suggested)", and click next to finish Export saving the file.

Install ADFS

  1. Refer to install AD Domain Services and DNS Services Step 2 Go to the server role page and check Active Directory federated authentication service.

    1. Keep the default information on the page, always click "next" > "finish", and on the results page, click "configure federated authentication service on this server".
    2. Keep the default information on the page, always click "next" to go to the specified service properties page, and Enter imports the following information
      SSL Certificates Service: import in generating SSL Certificates Service Step 9 Saved certificate file.
      Federated identity service name: consistent with the information in the upper right corner.
      Federated Authentication Service display name: the user sees the display name when logging in.
  2. On the specify service account page, enter the account name and password. Keep the default information on the page and keep clicking next.

  3. Access downloads the XML file with the following link.

https://domain/federationmetadata/2007-06/federationmetadata.xml
  1. Execute Set-AdfsProperties-EnableIdpInitiatedSignonPage $True, in powerShell
    Access below Entry to log in.
https://domain/adfs/ls/idpinitiatedSignOn.htm
  1. Input Step 4 Log in with the account name and password in

  2. Click [tools] in the upper right corner of the Server Manager-ADFS page.

    1. Select ADFS Management, click add Trust Party,
    2. On the add Trust side Trust Wizard page, select declare Awareness, and click [Launch].
  3. Access downloads the XML file of Tencent Cloud and identity provider (IdP) under the link below.

https://cloud.tencent.com/saml.xml

12。 Import Tencent Cloud identity provider (IdP) 's file.
13. Keep the default information on the page, and always click [next] > [finish].
14. Click [trusted Party Trust] > [add Rule] > [Edit statement issuance Policy].
15. On the Select Rule template page, click [Select Rule Type] > [next].

Qcs::cam::uin/ {AccountID}: roleName/ {RoleName}, qcs::cam::uin/ {AccountID}: saml-provider/ {ProviderName}RoleName```

Identity provider (IdP) was founded in Tencent Cloud

You can use this step to configure the trust relationship between ADFS and Tencent Cloud to trust each other.

SAML identity provider (IdP) was founded by Tencent Cloud. For more information, please refer to Create an identity provider .
Among the metadata documents, you can download the provider's xml file via Access's link below.

https://domain/federationmetadata/2007-06/federationmetadata.xml

Create roles for identity provider (IdP)

You can take this step from Assign user Access Permission to ADFS user Assign Tencent Cloud's SSO Access Permission.

For more information, please refer to Create roles for identity provider (IdP) .
Among them, identity provider (IdP) chose to be in Tencent Cloud founded identity provider (IdP) Identity provider (IdP) created in the step.