Connecting ADFS and Azure Active Directory via the custom SAML connection
The classic way to do this is via a federated tenant using AAD Connect.
This is the typical way if you have Office 365 and want people to authenticate with the on-premises domain AD via ADFS.
But what if you just want federation pure and simple.
Azure AD (AAD) has to be the IDP so ADFS is the SP in this environment.
There are a number of ways to do this.
You can add external applications to Azure AD and if the application is not in the list and you want to add it and you have Azure AD Premium, you can add it via SAML as a custom application.
In Azure AD:
Select the “SAML-based” flow.
Then configure as per the red circles.
So the “Identifier” is:
http://your-adfs/adfs/services/trust
and the “Reply URL” is:
Then “Save” out.
For the ADFS side, we can use the metadata under the “Metadata XML” link. Download the file and save.
The ADFS setup is the same as my previous article. Basically, create a new “Claims Provider” (CP), import the data from a file and add three pass-through rules.
Then test from the application. Select the new CP from the Home Realm Discovery screen and then authenticate with your Azure AD credentials.
Here’s the interesting thing. It you add the CP via the metadata (and that includes the signing certificate) when you try and connect, ADFS will throw an error:
MSIS3007: No valid certificate for issuer name ‘https://sts.windows.net/00…69/' was found in the configuration database.
I got round this by downloading the certificate only from the above link “Certificate (Base 64)”. This is a .cer file. Then I manually imported it into the CP.
That fixed the issue.
You can augment the basic claim set as per this.
So now you have basic federation without AAD Connect or Office 365 or a federated tenant.
Aside:
Just out of interest, I added the SAML custom application as an application in the myapps access panel.
When I click this, AAD sends a SAML response to ADFS. ADFS sees this as the IDPInitiated flow so it displays the IDPInitiated page with the user already logged in. The user can then select a SAML application from the drop-down.
All good!
