Active Directory Federation Services (ADFS) is a Windows Server activity launched by Microsoft's Directory joint service (ADFS). ADFS is a new technology that can be used for multiple Web application users Verification in the process of Session. Tencent Cloud supports federated authentication based on SAML 2.0 (Security Assertion Markup Language (SAML) 2.0), an open standard used by many authentication providers (Identity Provider, IdP). You can integrate ADFS with Tencent Cloud based on SAML 2.0 federated authentication to achieve automatic ADFS account login (single sign-on) Tencent Cloud console to manage Tencent Cloud's resources without having to create a CAM sub-user for every member of the enterprise or organization.
- Owns a Windows Server Cloud Virtual Machine. If you need to purchase a server, please refer to Cloud Virtual Machine-purchase Guide .
On the dashboard management page, click "add roles and Features", keep the default information on the page, and click "next" all the time to go to the add roles and Features wizard page.
On the add roles and Features wizard page, keep the default information on the page, and always click "next". Check Active Directory domain service and DNS server in the server role information bar.
Keep the default information on the page, always click "next", and click "install". On the successful installation screen, click in the upper right corner Or on the installation completion interface.
Click "promote to Domain Controller" to go to the deployment configuration page, Enter domain name. The example in this article is: example.com.
Click [next], and after the installation is complete, enter the password. Keep the default information on the page and keep clicking next.
Click "install", and restart the server after the installation is complete.
Complete the installation of AD domain service and DNS service, and upgrade the server to domain controller.
If you already own SSL Certificates Service, you can do it directly. Install ADFS Operation.
Click [Windows icon] in the lower left corner, enter the "mmc" command in the search box, enter and enter the console 1- [ Console root node] page.
On console 1- [ On the console root node page, click File-> add / remove snap-ins, select a certificate in the pop-up window, and click add-> finish.
Click [Certificate], In show more's Directory, right-click personal, and click all job-> Advanced Operations-> create Custom request.
Keep the default information of the page, always click "next" to enter the certificate registration page, and click "continue without using enrollment Policy".
On the custom request page, select the following information
- Template: (no template) just the key
- Request format: PKCS#10
Click details-> Certificate Properties, and add the friendly name and description information in the general column.
In the user bar, Enter value information. This example is ( * .example.com), click "add",
Check Microsoft RSA SChanel Cyptograhic Provider (encryption under the private key bar to make the private key Export.
Click OK-> next, select the Directory you want to save, save the certificate, and click finish.
Access http://localhost/certsrv, click "apply for Certificate".
On the request for a certificate page, click "Advanced Certificate request".
On the Advanced Certificate request page, click * * submit a certificate request using a base64-encoded CMC or PKCS#10 file, or renew a certificate request using an base64-encoded KCS#7 file].
Copy the contents of the certificate file saved by the application certificate and add it to the following input box. Select the Web server for the certificate template, and click submit.
If the application is successful, click "download" (both formats need to be downloaded) .
Refer to the Step 3 Right-click personal, and click all job-> Import.
Select Step 5 Save the certificate file, keep the default information on the page, and always click "next" > "finish".
Refer to the Step 3 , right-click [personal], and click [all job] > [Export].
Refer to install AD Domain Services and DNS Services Step 2 Go to the server role page and check Active Directory federated authentication service.
On the specify service account page, enter the account name and password. Keep the default information on the page and keep clicking next.
Access downloads the XML file with the following link.
Input Step 4 Log in with the account name and password in
Click [tools] in the upper right corner of the Server Manager-ADFS page.
Access downloads the XML file of Tencent Cloud and identity provider (IdP) under the link below.
12。 Import Tencent Cloud identity provider (IdP) 's file.
13. Keep the default information on the page, and always click [next] > [finish].
14. Click [trusted Party Trust] > [add Rule] > [Edit statement issuance Policy].
15. On the Select Rule template page, click [Select Rule Type] > [next].
You can use this step to configure the trust relationship between ADFS and Tencent Cloud to trust each other.
SAML identity provider (IdP) was founded by Tencent Cloud. For more information, please refer to Create an identity provider .
Among the metadata documents, you can download the provider's xml file via Access's link below.
You can take this step from Assign user Access Permission to ADFS user Assign Tencent Cloud's SSO Access Permission.
For more information, please refer to Create roles for identity provider (IdP) .
Among them, identity provider (IdP) chose to be in Tencent Cloud founded identity provider (IdP) Identity provider (IdP) created in the step.