Setup Guide for AD FS 3.0 on the Apprenda Platform

Transcription

1 Setup Guide for AD FS 3.0 on the Apprenda Platform Last Updated for Apprenda The Apprenda Platform leverages Active Directory Federation Services (AD FS) to support identity federation. AD FS and the Apprenda Platform can then be configured to authenticate against an external user store (e.g., Active Directory). In Apprenda terminology, AD FS instances that are leveraged and managed by the Apprenda Platform are called AD FS nodes. For those who may not be familiar with AD FS setup, this guide provides information on configuring AD FS nodes for use with the Apprenda Platform. Setup information is based on scenarios that have been configured and tested by the Apprenda Client Services team. Notable characteristics of AD FS 3.0: AD FS 3.0 is available as a role on Windows Server 2012 R2. Although earlier versions of AD FS offered a stand-alone federation server option, AD FS 3.0 can be installed only as a federation server farm. Note that you can set up a farm with only one server (and add servers later as needed). AD FS 3.0 configuration requires a domain administrator account. The account is required for setup only and will no longer be needed once AD FS setup is complete, but will be required again in the future if configuration changes must be made (e.g., adding a node to the farm). Unlike earlier versions of AD FS, an underlying installation of IIS is not required for AD FS 3.0. IT professionals who are familiar with AD FS setup and configuration should feel free to forego this guide and configure AD FS nodes to meet the basic Apprenda requirements outlined in the Pre-Installation Checklist while keeping in accordance with the procedures outlined by their own enterprise IT policy. Contents Apprenda AD FS Configuration Pre-requisites... 2 Configuration for an AD FS Federation Server Farm... 6 Install Apprenda with an AD FS Federation Server Farm Appendix 1: Understanding AD FS Trust Relationships... 19

2 2 APPRENDA AD FS CONFIGURATION PRE-REQUISITES The following should be performed prior to configuring AD FS and installing the Apprenda Platform. Apprenda Windows App Server Pre-requisites AD FS nodes will also act as Apprenda Windows Application Servers, as they host the Apprenda Windows Host in order to support the Apprenda Federation WCF service. As such, they must meet all the requirements for Windows Application Servers (including all hardware and software requirements for Apprenda Platform Windows Servers in general) listed in the Pre-Installation Checklist. Federation Service and Site Name Each AD FS node must run AD FS under a service name; for an AD FS farm, the service name must be the same across all AD FS nodes. The following form is suggested (where cloudurl is the root URL that will be used in one of the clouds on your Apprenda environment): identity.cloudurl. If, for instance, the cloudurl planned for one of the clouds on your Apprenda environment is apprenda.fedtest, the suggested identity service and site name would be identity.apprenda.fedtest. It should be noted that this format, which is used throughout the examples below, is a suggestion only, and the service name may be formatted according to your organization s own naming policies. DNS Setup A DNS A record entry must be set up that points the identity site name (e.g., identity.cloudurl) to the AD FS node(s). If you will use more than one AD FS node, a load balancer may be used to distribute traffic; alternately, a round-robin DNS setup will suffice. Windows Accounts Install account The account under which AD FS is configured must have domain administrator privileges on each AD FS node. A check made by the AD FS 3.0 Configuration Wizard (and related Powershell commands) requires domain administrator privileges (and prevents workarounds to this requirement that were available in earlier versions of AD FS). AD FS Service account You will need a dedicated Service Account under which the AD FS service will run on all AD FS nodes. You may use a domain user account or, if supported on your domain, a group Managed Service Account.

3 3 The account must be granted the following rights on the AD FS nodes prior to the AD FS configuration process, as the AD FS service will log on as this account: Allow Log on Locally Log on as a Service Log on as a Batch Job It is important that you (or your IT department) ensure that Group Policy settings will not disable the above permission for this account. Certificates AD FS requires a certificate for three different purposes: SSL certificate (you must provide this) Token Signing certificate (can be provided or generated through AD FS) Token Decrypting certificate (can be provided or generated through AD FS) SSL and Root Certificates You will need an SSL certificate in.pfx format where the CN matches the federation service/site name (e.g., identity.cloudurl) or the CN is a wildcard for the cloudurl of the environment (e.g., *.cloudurl). Unless it is already installed on the AD FS nodes (as is common practice in some enterprise IT or when using certificates from a commercial provider), you will also need the root certificate used to issue the SSL certificate. Once you have obtained the certificate(s), the following must be performed on each AD FS node: Open the MMC Certificate Snap-in: Open MMC (which should be included on all Windows OS). Under File choose Add/Remove Snap-in. Select the Certificates snap-in and click Add. Select Computer account, then click Next. Select Local computer, then click Finish. Click OK to open the snap-in. Import the SSL certificate: Under Certificates (Local Computer), right-click on the Personal folder and select All Tasks > Import to open the Certificate Import Wizard. Click Next. Use the browse functionality to select the SSL certificate, then click Next. Type the password for the certificate and select Mark this key as exportable. Click Next. Choose the option to place all certificates in the Personal certificate store and click Next. Click Finish to complete the process. The certificate will now appear in the Personal > Certificates folder.

4 4 Grant the AD FS Service Account permission to manage the private keys for the SSL certificate: Right-click on the SSL certificate and select All Tasks > Manage Private Keys. Add the AD FS Service Account to the list of Group or user names. Grant the account Full control. Import the root certificate (issuer of the SSL certificate) as a Trusted Certificate Authority: Under Certificates (Local Computer), right-click on the Trusted Root Certification Authorities folder and select All Tasks > Import to open the Certificate Import Wizard. Click Next. Use the browse functionality to select the root certificate, then click Next. Choose the option to place all certificates in the Trusted Root Certification Authorities certificate store and click Next. Click Finish to complete the process. The certificate will now appear in the Trusted Root Certification Authorities > Certificates folder. Token Signing Certificate and Token Decrypting Certificate For the Token Signing and Token Decrypting certificates, you may provide certificates (recommended) or you may enable the Automatic Certificate Rollover Feature in AD FS, which will create and manage selfsigned certificates. When this feature is enabled, managed certificates hit their expiration date, AD FS will create new self-signed certificates and replace them. You may specify certificates when configuring the AD FS service. Depending on your organizational needs, you may choose to use a separate certificate for each certificate type, or you may choose to simply use the AD FS SSL certificate for the Token Signing and Token Decrypting certificates. We recommend using the certificate that will be used as the Apprenda Platform Signing certificate as the AD FS Token Signing certificate. This certificate may also be used for the Token Decrypting certificate. In all cases, be mindful of any expiration dates on the certificates, as expired certificates that are not managed by AD FS must be replaced. Please Note: The AD FS configuration process will set up a Token Signing certificate as per your specification (either one that you specify or one that is managed by AD FS). After the Apprenda installation completes, however, this certificate will be marked as the Secondary Token Signing certificate, and the Apprenda installer will configure AD FS to use the Apprenda Platform Signing certificate as the Primary Token Signing certificate in AD FS. This is necessary in order for the Apprenda Platform to locate (and therefore control) the certificate that will be used for AD FS Token Signing so that Apprenda workloads can properly validate the source of the claims they receive. Importing Additional Certificates If Automatic Certificate Rollover is disabled and certificates other than the AD FS SSL certificate will be used, they should be imported into the Personal Certificate Store as per the procedures outlined in the Import the SSL Certificate step above.

5 5 You should also follow the steps outlined in the Grant the AD FS Service Account permission to manage the private keys for the SSL certificate section above for each additional certificate. Locating Certificate Thumbprints Some of the installation steps below require the thumbprint for a certificate. The thumbprint of a certificate can be located as follows: In the MMC Certificate Snap-in, open the Personal > Certificates folder. Right-click on the certificate and select Open. The thumbprint for the certificate is listed on the Details tab. Click on the thumbprint row to view the thumbprint in the lower window (where you can copy it). Should you prefer, you may also locate the thumbprint for certificates by running the following command in Powershell on a machine where the certificates are installed: dir Cert:\LocalMachine\My SQL Server or Windows Internal Database AD FS offers the option to use either SQL Server or Windows Internal Database to store configuration data. Because Apprenda manages the AD FS nodes and related configuration data, the type of database selected should adhere to the following: For lab environments where a single AD FS node will be used and where upgrading to a different version of AD FS will not be a concern, Windows Internal Database, which is included with the AD FS installation, may be safely used. If WID is selected for the AD FS database, it will be set up automatically at AD FS configuration. For AD FS farms that include more than one AD FS node, Apprenda requires that SQL Server be used for the AD FS database; otherwise, Apprenda will be unable to properly manage all AD FS nodes in the farm. The SQL Server instance must be configured prior to AD FS configuration. For all other AD FS setups, Apprenda recommends that SQL Server be used for the AD FS database, as SQL Server offers HA and scalability when a failover cluster is used. It also allows for future addition/removal of AD FS nodes by removing ties to a Windows Internal Database instance on a given AD FS node. The SQL Server instance must be configured prior to AD FS configuration. SQL Server Versions As per Microsoft s documentation, the following versions of SQL Server can be used with AD FS 3.0: SQL Server 2008 R2 SQL Server 2012 SQL Server 2014

6 6 SQL Server Configuration and Account Permissions The SQL Server instance must be configured prior to AD FS configuration (preferably as a failover cluster if HA and/or scale is a concern). The following account permissions are required to use SQL Server as the backing database for AD FS: The account used to install AD FS must have permissions to create the necessary AD FS configuration databases and grant permissions to the AD FS service account. This can be achieved by granting the SQL Server sysadmin role to the install account during AD FS installation. The AD FS Service Account must be given access to the SQL Server instance; at installation it will be granted permission to read the necessary AD FS configuration databases. The SQL instance must be configured to Allow Remote Connections. AD FS 3.0 Installed AD FS 3.0 is available on Windows Server 2012 R2 only. To install, simply add the Active Directory Federation Services Role through the Server Manager. Please note that all AD FS nodes within an AD FS Web farm must run the same version of AD FS. CONFIGURATION FOR AN AD FS FEDERATION SERVER FARM The instructions below outline the configuration steps for an AD FS farm using SQL Server for the AD FS Configuration database. Checklist: DNS entry or entries have been configured. A dedicated AD FS Service Account has been created; Group Policy grants this account Log on as a Service rights. Credentials for a domain administrator account that can be used to configure AD FS; this user should also have local administrator privileges on the AD FS nodes. A dedicated SQL instance for the AD FS Configuration DB has been set up. o The install user has sysadmin permissions for the duration of AD FS installation and configuration. o The AD FS Service Account has read access to the instance. All certificates you will use are installed on the machines as noted above. The thumbprint for the identity SSL certificate you will use (see the Certificates section above) is on hand. If you are not installing using an account with domain admin permissions, the thumbprints for the Token Signing and Token Decrypting certificates are also on hand.

7 7 AD FS has been installed on all AD FS nodes. Install the First Node in the Federation Farm PERFORM INITIAL AD F S CONFIGURATION STEP S The initial AD FS Configuration for the first node of a Federation farm can be performed through the AD FS GUI Wizard or via AD FS Powershell commands. Both options are described below. Initial Configuration Option 1: AD FS GUI Wizard The AD FS GUI Wizard can be used to configure the initial AD FS node. Use this option only if you want AD FS to manage the Token Signing and Decrypting Certificates. If you want to specify the Token Signing and Token Decrypting certificates, use the Powershell Option below. 1. Launch the AD FS Configuration Wizard. This can be done through the Configure the federation service on this server option under the Notifications flag in the Server Manager console: 2. Select Create the first federation server in a federation server farm and click Next. 3. If the executing user (the user account under which you logged in to the server) is not a domain administrator, provide the credentials for an account that has domain administrator privileges and then click Next.

8 8 4. Specify the AD FS Service Properties: a. Select the certificate that will be used for the identity SSL certificate. b. If the certificate CN has a wildcard prefix (i.e., *.cloudurl), adjust the Federation Service Name so that it matches the Federation Service Name for which the DNS entry was configured (e.g., identity.cloudurl). If the certificate does not have a wildcard prefix (i.e., identity.cloudurl), the Federation Service Name will update automatically to match the CN of the SSL certificate. c. Specify a friendly name for the Federation Service Display Name. d. Click Next. 5. Select User an existing domain user account or group Managed Service Account. Specify the credentials for the AD FS Service Account you will use and click Next. 6. Select Specify the location of a SQL Server database. a. In the Database Host Name field, type the name of the server that houses the SQL Server instance that you will host the AD FS configuration databases. b. If using a named instance (i.e., not the default instance), type the instance name in the Database Instance field. c. Click Next.

9 9 7. The Wizard will now summarize the options; review these options, and use the Previous buttons in the installer to make changes if anything is amiss. If you wish, you may click on the View script button in order to export a Powershell script that can be used for automating additional installations. Click Next. 8. The Wizard will now run a series of pre-requisite checks in order to validate your configuration options. Once it has passed successfully, the Configure button will become enabled. Click on the Configure button to complete the installation. 9. Proceed to the Finalize AD FS Service Configuration section below. Initial Configuration Option 2: Powershell The initial AD FS node may alternately be configured using AD FS Powershell commands. The examples below specify the Token Signing and Token Decrypting certificates. If you prefer to let AD FS manage these certificates, simply omit the SigningCertificateThumbprint and DecryptionCertificateThumbprint parameters. Please note that full documentation on AD FS Powershell cmdlets can be found at OPTION 2A: IF THE AD FS SERVICE ACCOUNT IS A DOMAIN ACCOUNT 1. Open Powershell as a user with Domain Administrator privileges. 2. If the AD FS Service Account is a domain account, run the following command, which will prompt you to enter the credentials for the AD FS Service Account user: $fscredential = Get-Credential 3. Update the following command by replacing the X placemarkers with the values specific to your AD FS setup: Install-AdfsFarm CertificateThumbprint XX -FederationServiceName XX -ServiceAccountCredential $fscredential -SQLConnectionString "Data Source=Host\SQLInstance;Integrated Security=True" -SigningCertificateThumbprint XX -DecryptionCertificateThumbprint XX OverwriteConfiguration -FederationServiceName should be the name of the service (identity.cloudurl) $fscredential will retrieve the AD FS Service Account information stored in the previous command Host\SQLInstance corresponds to the SQL Server Host\InstanceName in which the AD FS databases will be stored. If you are using the default instance, only the host (server) name is typically needed.

10 10 NOTE: -OverwriteConfiguration will wipe and any existing AD FS database that you already have in the specified SQL Server instance. Example Install-AdfsFarm CertificateThumbprint 8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed -FederationServiceName identity.apprenda.fedtest -ServiceAccountCredential $fscredential -SQLConnectionString "Data Source=Server01\Instance01;Integrated Security=True" -SigningCertificateThumbprint 8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed -DecryptionCertificateThumbprint cf2e5064c521d625c8d53536bc98aa8e08f5f2ad -OverwriteConfiguration 4. Run the updated command 5. Proceed to the Finalize AD FS Service Configuration section below. OPTION 2B: IF THE AD FS SERVICE ACCOUNT IS A GROUP MANAGED SERVICE ACCOUNT 1. Open Powershell as a user with Domain Administrator privileges. 2. Update the following command by replacing the X placemarkers with the values specific to your AD FS setup: Install-AdfsFarm CertificateThumbprint XX -FederationServiceName XX -GroupServiceAccountIdentifier DOMAIN\Account -SQLConnectionString "Data Source=Host\SQLInstance;Integrated Security=True" -SigningCertificateThumbprint XX -DecryptionCertificateThumbprint XX OverwriteConfiguration -FederationServiceName should be the name of the service (identity.cloudurl) -GroupServiceAccountIdentifier specifies AD FS Service Account Host\SQLInstance corresponds to the SQL Server Host\InstanceName in which the AD FS databases will be stored. If you are using the default instance, only the host (server) name is typically needed. NOTE: -OverwriteConfiguration will wipe and any existing AD FS database that you already have in the specified SQL Server instance. Example Install-AdfsFarm CertificateThumbprint 8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed -FederationServiceName identity.apprenda.fedtest -GroupServiceAccountIdentifier CONTOSO\GroupAccount01 -SQLConnectionString "Data Source=Server01\Instance01;Integrated Security=True" -SigningCertificateThumbprint 8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed -DecryptionCertificateThumbprint cf2e5064c521d625c8d53536bc98aa8e08f5f2ad -OverwriteConfiguration 3. Run the updated command. 4. Proceed to the Finalize AD FS Service Configuration section below.

11 11 FINALIZE AD FS SERVI CE CONFIGURATION FOR THE FIRST NODE 1. Open the AD FS Manager and click on Edit Federation Service Properties. 2. Change the Federation Service identifier to match the following pattern (the https and the final slash are critical):

12 12 3. Click on Apply when done. 4. Restart the Federation Service via the Windows Services window. It is listed as Active Directory Federation Services. Join Additional Nodes to the Federation Server Farm Additional AD FS nodes can be joined to an existing Federation Server farm through the AD FS GUI Wizard or via AD FS Powershell commands. Both options are described below. Join Additional Nodes to the Federation Server Farm Option 1: AD FS GUI Wizard 1. Launch the AD FS Configuration Wizard. This can be done through the Configure the federation service on this server option under the Notifications flag in the Server Manager console:

13 13 2. Select Add a federation server to a federation server farm and click Next. 3. If the executing user (the user account under which you logged in to the server) is not a domain administrator, provide the credentials for an account that has domain administrator privileges and then click Next. 4. Select Specify the database location for an existing farm using SQL Server. a. In the Database Host Name field, type the name of the server that houses the SQL Server instance that hosts the AD FS configuration databases. b. If using a named instance (i.e., not the default instance), type the instance name in the Database Instance field. 5. Select the certificate that will be used for the identity SSL certificate. Click Next. 6. Select the AD FS Service account (the same account that was used for the first node in the farm). As needed, type in the password for the account. Click Next. 7. The Wizard will now summarize the options; review these options, and use the Previous buttons in the installer to make changes if anything is amiss. If you wish, you may click on the View script button in order to export a Powershell script that can be used for automating additional installations. Click Next. 8. The Wizard will now run a series of pre-requisite checks in order to validate your configuration options. Once it has passed successfully, the Configure button will become enabled. Click on the Configure button to complete the installation. 9. Open AD FS manager and confirm Federation Service Identifier matches identity.rooturl/adfs/ls/.

14 14 Join Addition Nodes to the Federation Server Farm Option 2: Powershell Please note that full documentation on AD FS Powershell cmdlets can be found at OPTION 2A: IF THE AD FS SERVICE ACCOUNT IS A DOMAIN ACCOUNT 1. Open Powershell as a user with Domain Administrator privileges. 2. If the AD FS Service Account is a domain account, run the following command, which will prompt you to enter the credentials for the AD FS Service Account user: $fscredential = Get-Credential 3. Update the following command by replacing the X placemarkers with the values specific to your AD FS setup: Add-AdfsFarmNode -ServiceAccountCredential $fscredential -SQLConnectionString "Data Source= Host\SQLInstance;Integrated Security=True" CertificateThumbprint XX $fscredential will retrieve the AD FS Service Account information stored in the previous command Host\SQLInstance corresponds to the SQL Server Host\InstanceName in which the AD FS databases will be stored. If you are using the default instance, only the host (server) name is typically needed. Example Add-AdfsFarmNode -ServiceAccountCredential $fscredential -SQLConnectionString "Data Source=Server02\Instance02;Integrated Security=True" CertificateThumbprint 8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed 4. Run the updated command 5. Open AD FS manager and confirm Federation Service Identifier matches identity.rooturl/adfs/ls/. OPTION 2B: IF THE AD FS SERVICE ACCOUNT IS A GROUP MANAGED SERVICE ACCOUNT 1. Open Powershell as a user with Domain Administrator privileges. 2. Update the following command by replacing the X placemarkers with the values specific to your AD FS setup: Add-AdfsFarmNode -GroupServiceAccountIdentifier DOMAIN\Account -SQLConnectionString "Data Source=Host\SQLInstance;Integrated Security=True" CertificateThumbprint XX

15 15 -FederationServiceName should be the name of the service (identity.cloudurl) -GroupServiceAccountIdentifier specifies AD FS Service Account Host\SQLInstance corresponds to the SQL Server Host\InstanceName in which the AD FS databases will be stored. If you are using the default instance, only the host (server) name is typically needed. Example Add-AdfsFarmNode -GroupServiceAccountIdentifier CONTOSO\GroupAccount01 -SQLConnectionString "Data Source=Server02\Instance02;Integrated Security=True" CertificateThumbprint 8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed 3. Run the updated command 4. Open AD FS manager and confirm Federation Service Identifier matches identity.rooturl/adfs/ls/. INSTALL APPRENDA WITH AN AD FS FEDERATION SERVER FARM At this point we have configured the Federation portion of the installation. Let s go ahead and install the Platform. Because the installer is not designed to accommodate a Federation Server farm, we will do the following: Select all AD FS Nodes as Application Servers, which will install and configure the Windows Host service. Configure the first AD FS node in the Federation Server farm as the Apprenda Managed AD FS Host. Manually configure the remaining AD FS Nodes as Apprenda Managed AD FS Hosts. Configure AD FS Nodes as Application Servers in the Apprenda Installer 1. Open the Apprenda Installer. 2. Select the Install option. 3. Select Multi Server and Show Advanced Options. 4. Fill out the necessary information until you reach the What Servers Should We Start Off With? page. 5. In addition to your environment s other servers, be sure to add all AD FS nodes as Application Servers.

16 16 Configure the first AD FS Node as an Apprenda Managed AD FS Host 1. Continue and fill out the necessary information until you reach the Apprenda Security page. 2. Do not select the Require Authorization to access the System Operations Center (SOC), as skipping this at install will permit authentication troubleshooting. SOC Authorization can be reenabled at a later time. 3. Fill out the Federation Information as follows: a. Apprenda Managed ADFS Host is the name of the first AD FS node in the farm. b. The endpoint is the Federation Service Identifier configured in ADFS. 4. Complete the Apprenda installation. Grant the AD FS Service Account permission to manage the private keys for the Apprenda Platform Signing Certificate Apprenda Platform installation will add the Apprenda Signing certificate to the certificate store on the AD FS nodes. The AD FS Service Account must have read permissions to the private key for this certificate. Perform the following on all AD FS Nodes. Open the MMC Certificate Snap-in: Open MMC (which should be included on all Windows OS) Under File choose Add/Remove Snap-in Select the Certificates snap-in and click Add. Select Computer account, then click Next. Select Local computer, then click Finish. Click OK to open the snap-in.

17 17 Grant the AD FS Service Account permission to manage the private keys for the Apprenda Platform Signing certificate: Under Certificates (Local Computer), open the Personal>Certificates folder and locate the Apprenda Platform Signing certificate. Its name should match the pattern cloudurl Signing (e.g., apprenda.fedtest Signing ). Right-click on the Apprenda Signing certificate and select All Tasks > Manage Private Keys. Add the AD FS Service Account to the list of Group or user names. Grant the account Read permissions.

18 18 Manually configure the remaining AD FS Nodes Repeat these steps for each additional AD FS node in the farm. Copy Apprenda AD FS Artifacts to the New AD FS Nodes 1. On the first ADFS node; you will find an AdfsBoostrapper directory in the Apprenda install drive\folder (by default, this will be C:\ApprendaPlatform). 2. Copy the AdfsBootstrapper folder to ApprendaPlatform folder on the additional AD FS node. 3. On the additional AD FS node, look in the AdfsBootstrapper\AttributeStore3.0 folder and locate the Apprenda.Federation.AttributeStore.3.0.dll 4. Copy the Apprenda.Federation.AttributeStore.3.0.dll to the C:\Windows\ADFS directory 5. Restart the AD FS Service. Update the SaaSGrid Core DB 1. Connect to the SaaSGrid Core DB (you can use the credentials used to install Apprenda). 2. Look in the dbo.artifact_host table and get the id for the additional node. 3. Look in the dbo.tag table and get the id for Federation Host. 4. In the dbo.host_tag table, add a line where host_id= the id of the additional node from the dbo.artifact Host table and tag_id=the id of Federation Host from the dbo.tag table. 5. In the SOC, deploy the federation service to the additional node. Optional: Configure Application Deployment Policy If desired, move any unneeded services off the federation nodes and set up a deployment policy to only allow the federation service.

19 19 APPENDIX 1: UNDERSTANDING AD FS TRUST RELATIONSHIPS AD FS uses trust relationships to manage how claims are accepted and issued (see Microsoft s AD FS documentation for an explanation of the types of trusts and related terminology used in AD FS). Below is a list of AD FS trust relationships that are either created by Apprenda or must be created manually for certain Apprenda Platform authentication configurations to work. It should be noted that existing claims for an AD FS instance can be viewed in AD FS Manager under the Trust Relationships folder. Trust Relationships Created at Apprenda Platform Installation/UI Deployment Claims Provider Trust (created by Apprenda) When the Apprenda Platform is installed on an environment with AD FS nodes, the installer will create a Claims Provider Trust between the AD FS nodes and the Apprenda Platform. The trust will be located on the Apprenda AD FS nodes: Location: Apprenda AD FS nodes. Type: Claims Provider Trust. Display Name: Apprenda The claim provider s federation metadata field will point to a URL that is dynamically generated by the Apprenda Platform s authentication UI (and depends on the subdomain and cloudurl that has been configured for the Platform): o Format: o Example: Relying Party Trusts (created by Apprenda) When each UI is deployed on the Apprenda Platform (as either part of the Apprenda Platform portals or as part of a guest application), a corresponding Relying Party Trust will be created on the Apprenda AD FS nodes. Location: Apprenda AD FS nodes. Type: Relying Party Trust. The Display Name will typically correspond to the URL of the UI.

20 20 Trust Relationships for Configuring Apprenda to Work with a Secure Token Service After installation of the Apprenda Platform with AD FS is complete, it is typically configured to work with a Secure Token Service (STS). This involves the following trust relationships. Claims Provider Trust (created by Apprenda) PLATFORM-WIDE FEDERATION (WITH A SINGLE STS): Platform-wide federation (typically used to federate against a single external user store) is configured through the User Store page in the System Operations Center. Part of the setup entails entering the federation metadata URL for the STS in the appropriate input box or uploading a metadata file: The Platform will create a Claims Provider Trust on the Apprenda AD FS nodes using the information from the STS metadata URL or file: Location: Apprenda AD FS nodes. Type: Claims Provider Trust. Display Name: Apprenda Platform The claim provider s federation metadata field will point to the metadata URL for the Secure Token Service (if a metadata file is used, the URL information will be extracted from the file). ACCOUNT-LEVEL FEDERATION (WITH ONE STS PER TENANT): The Apprenda Platform can be configured to allow each Tenant account to authenticate against a different STS. In such cases, federation for each Tenant is configured through the Account Portal, where the federation metadata URL for the STS must be entered into the appropriate input box.

21 21 The Platform will create a Claims Provider Trust on the Apprenda AD FS nodes using the information from the STS metadata URL: Location: Apprenda AD FS nodes. Type: Claims Provider Trust. Display Name: the Tenant alias of the corresponding Tenant account. The claim provider s federation metadata field will point to the metadata URL for the STS. Relying Party Trusts (must be created manually) In most cases a Relying Party Trust must be manually configured between the Apprenda AD FS nodes and the STS. Although the setup process will vary depending on the STS used, instructions for configuring a Relying Party Trust in AD FS can be found in Microsoft s online documentation: Typically, your organization will already have an STS in place (along with administrators practiced in managing it). If this is the case, please provide your STS administrator with the metadata URL for the Apprenda AD FS nodes, which can be found in the Configure Identity Federation section of the User Store page in the System Operations Center (for Platform-wide Federation):