Working through AD Federation Services Labs
To minimize confusion in often-complicated federation scenarios, I always try to think of myself as being in the identity provider’s role, and that role is always on the left side of the architecture diagram. Remember, the identity provider is the one that contains the identities (in this case, from AD) that will be extended to the service (in this case, Contoso’s SharePoint server).
The SharePoint federation lab document is 96—that’s right, 96—pages long. And it's primarily made up of steps to be taken after you’ve either downloaded the VMs or gone through the 50-page lab-build document. The good news is that (unlike the lab-build document) the SharePoint document is made up primarily of screenshots. This makes the exercise much easier that it would have been otherwise, as in this case a picture really is worth a thousand words—and reduces tenfold the chance you might goof something up midway through the lab.
This lab is also easier than it might first appear because you don’t have to go through the entire document if you want to just see how federation works. (Watching federation work, by the way, is hugely anticlimactic. Because it’s single sign-on, federation is working correctly when, well, nothing happens. The cool part is that this "nothing" happens across security boundaries where something used to happen—like a credentials prompt—or you simply weren’t able to do it at all.) The SharePoint lab contains 11 steps, but you only need to get through step 7 if you just want to watch federation in action.
If you’ve gone to all the trouble to get this far, however, you really should step through the rest of the lab. Step 8 shows how you can also use a SQL Server database as an attribute store that AD FS can access to generate claims. Step 9 shows how to configure AD FS and SharePoint to use AD RMS for digital rights management of documents. Finally, step 10 shows how to configure a second document library to use strong authentication to access its documents.
The two key VMs in this lab are FABRIKAMSRV01 and CONTOSOSRV01. They fulfill multiple roles for the lab, whereas FABRIKAMSRV02 is essentially an Office 2007 user (though it’s installed on a server) and CONTOSOSRV02 is a SharePoint server (which requires IIS and SQL Server as components). First, FABRIKAMSRV01 and CONTOSOSRV01 provide domain services through AD DS to create the FABRIKAM and CONTOSO domains. Note that because these lab domains have only one DC each, you don’t have to worry about problems such as replication failing between DCs because the machines have been shut down, saved, or paused for greater than the tombstone lifetime. Second, they have DNS installed to support AD DS.
Third, FABRIKAMSRV01 and CONTOSOSRV01 both have AD FS installed. FABRIKAMSRV01’s AD FS runs the claims provider STS (security token service—the service that generates SAML tokens) in this scenario. It’s called the claims provider because it generates the claims necessary for SharePoint access from the user’s AD attributes. Confusingly, STS is often used interchangeably with federation server or AD FS. CONTOSOSRV01’s AD FS runs the relying-party STS—so called because it relies on the claims coming from the claims provider.
Fourth, AD CS is also installed on FABRIKAMSRV01 and CONTOSOSRV01. This service provides each domain with a certificate authority (CA), which will generate certificates to prove the authenticity of the claims that each domain’s STS will issue. Finally, IIS is installed on each to support both AD CS and AD FS.
If you have any intention of keeping up to date with identity and its future direction, I highly recommend that you install and work through at least the AD FS SharePoint lab. Doing so will show you the foundations on which AD FS is built, as well as a typical B2B scenario that you can use AD FS for. The lab also provides hands-on, guided experience working with claims as they make their way from the identity provider’s STS to the service provider’s STS to the claims-aware application. Finally, it highlights the areas you need to learn or brush up on, such as IIS or Certificate Services. Though it’s an identity technology, federation in general and AD FS in particular isn't something you learn overnight. Get a head start on understanding this important identity component by getting started on this lab.