enabling adfs in a server which is already joined a domain - adfs

I am trying to setup a ADFS4.0 server for exploration on OIDC with ADFS.
Is it possible to add adfs role to a server which is already joined to an existing domain?

I would say, it is mandatory to have your AD FS server joined to an existing domain, you would not be able to install it otherwise.
You can see all the requirements here: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/design/ad-fs-requirements#BKMK_4
There is Domain Requirements section which states:
All AD FS servers must be a joined to an AD DS domain.
All AD FS servers within a farm must be deployed in a single domain.
The domain that the AD FS servers are joined to must trust every user
account domain that contains users authenticating to the AD FS
service.

Related

2 different URLs to access the same Alfresco instance with Kerberos SSO

Using Alfresco Community - 7.1.0, running on a Docker Swarm cluster with Portainer.
I have managed to set up an instance of Alfresco with SSO using Kerberos with an Active Directory server as KDC (with AD users synched through LDAP). All I did was follow the instructions in the Alfresco documentation, so I don't know enough about Kerberos to understand how and why it works.
Right now Alfresco is accessed through a single URL which has the same domain as the AD server (which is also the domain controller). For annoying reasons that I won't go into right now, I need to make this Alfresco accessible through 2 separate external URLs, both of which have
different domains from the AD server.
Do I need to have more than 1 Kerberos realm, or is there a 1 to 1 association between realms and KDCs?
Do I need to map from the internet domain names to the Kerberos realm?
For some reason I'm having a hard time getting my head around this Kerberos stuff...
Alfresco expects only one REALM.
You need to create for every expected url a separate SPN and put all of them into the one keytab for Alfresco.
At least Windows needs to be configured to trust the other domains for SSO/kerberos authentication by putting them into the intranet zone.

Enabling access policy in ADFS 4.0 for OpenID Connect clients

AD FS supports OpenID Connect protocol for authenticating users. AD FS supports access policies for WebAPI applications, but not for server applications, at least not that I could find.
Is it possible to define access policy for a server application? The business scenario is really simple: only allow users from a defined group to authenticate given a specific client id.
If an enterprise deploys AD FS with AD DS and deploys several applications (each one registered separately, thus getting a unique client id and client secret), this could be used to allow/disallow users from authenticating to the ADFS for a given (registered) client (relying party).
It appears that this is possible by defining two applications in the same application group:
The server application, which has a client secret in addition to client id
The WebAPI application, for which you can define an access policy.
In order to make this work, you need to assign the relying party identifier (the client id of the server application) to the WebAPI identifiers and ensure that the "Client permissions" of the WebAPI application contain the server application.
If the access policy is not evaluated successfully, the relying party (the application requesting authentication) will receive an access_denied message.
Application group:
Server application:
WebAPI application:

Authenticate two applications using Azure Active Directory

I have a Symfony3 application which is to have a single sign-on relationship with a third party application.
However, the developer of the 3rd party application have rigorous security requirements and have compelled us to use Azure AD for authentication as opposed to out application.
I have configured Azure AD as the IDP and my Application as SP. My question is, how would I be able to have both applications authenticate once through Azure AD because they have difference sign-on urls and subsequent redirect pages.
What Azure AD allows is single sign-on. So when a user signs in, they get an active session with Azure AD.
This then means that when you redirect the user to sign in from your app, they will be automatically signed in if they have an active session.
In your case since the app is multi-tenant, the user will be automatically redirected back to your app without needing to login again if they already signed in earlier. Though if they are logged in to multiple accounts at once, Azure AD will require them to choose which account they want to use.

AD FS 3.0 and Users Stored in a Database

Our legacy applications store user account information in a database. I can't seem to find clear information as to whether AD FS 3.0 supports authentication against both Active Directory as well as SQL Server.
To be clear about my question:
How can AD FS 3.0 be used to provide federated authentication for users stored in both SQL Server (if at all) as well as Active Directory?
TIA
In short, it can't.
ADFS 3.0 and below can only authenticate against AD. It can, however, use a SQL Server DB for authorization i.e. it can query the DB for attributes that it uses to build up claims.
Have a look at Identity Server which authenticates against SQL Server. You can federate this with ADFS.
ADFS 4.0 (Server 2016) will be able to do this i.e. AD / LDAP for authentication.

AD LDS automatic sign

we have asp.net web application and we need to support "automatic login" using domain credential (windows principal) if users visit the website via intranet or we will prompt user to enter domain credential if visited through external network via HTTPS.
Problem is that this web server (windows server 2008) is a workgroup machine and it's in DMZ. I've been told to research on AD LDS + AD FS to make this happen within limited time, whether or not it is possible to support both domain credential SSO (both internal & external) and automatic sign-in for intranet domain users.
As I read related documentations and discussions in the forums, I understand that SSO is possible with this setup, however I cannot be certain and unable to find related materials mentioning about "automatic signing" intranet domain users with this environment.
Can anyone please advice if it is possible or if there are alternative approaches.
The main thing is that we want to avoid joining that existing web server to the domain.
Many thanks
ADFS will get you what you want. You'll need to modify the app to support claims (look up WIF - Windows Identity Framework). ADFS would be installed in your domain environment and then you'd configure the ASP.Net app as a relying party application in ADFS.
I don't think AD LDS will be of any use to you here.

Resources