The main purpose of this post is to demonstrate how to connect to Office 365 using an ADFS 2.0 infrastructure and then publish it out using Microsoft ISA Server or Forefront Threat Management Gateway.
I have provided only a summary of the steps involved in configuring ADFS 2.0 and setting up directory synchronization with Office 365 as these steps are very well documented by Microsoft. I have provided links to the relevant Microsoft documentation where applicable.
· Install ADFS 2.0 on Windows Server 2008 or Windows Server 2008 R2
· A third party certificate for your Federation Service Name (e.g. fs.contoso.com)
· All users that connect to Office 365 will require a UPN that is known to the user (e.g. firstname.lastname@example.org)
· The UPN domain suffix must be the domain that you choose to setup for single sign on.
· The domain that you choose to federate must be registered as a public domain
· Servers that will host ADFS 2.0 must be joined to the domain
· Create a dedicated service account for ADFS
Deploying ADFS 2.0
· Install your third party certificate in IIS
· Install ADFS 2.0 software
· Run the ADFS 2.0 setup wizard and create your ADFS 2.0 server farm
o For detailed instructions follow Microsoft’s deployment guide http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx#bk_deployfsfarm
o Ensure that the Federation Service Name matches your certificate
Create a Relying Party Trust Between ADFS 2.0 and Office 365
· After you have successfully deployed your AD FS 2.0 infrastructure, you need to set up the relying party trust between your new AD FS 2.0 servers on-premises and Office 365
· After you, the administrator, have deployed Active Directory Federation Services 2.0, the next step to set up single sign-on (also called identity federation) is to download, install, and configure the Microsoft Online Services Module for Windows PowerShell. To do this, you must have the required software for the Microsoft Online Services Module. After you have downloaded and installed the module, you then run a series of cmdlets in the Windows PowerShell command-line interface to add or convert domains for single sign-on.
The Microsoft Online Services Module for Windows PowerShell is a download that comes with Office 365. This module installs a set of cmdlets to Windows PowerShell; you run those cmdlets to set up single sign-on for Office 365.
· Download the 32-bit module : http://g.microsoftonline.com/0BD00en-US/85
· Download the 64-bit module: http://g.microsoftonline.com/0BD00en-US/126
· Refer to the following Microsoft documentation in order to configure the Microsoft Online Services Module: http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652560.aspx
Setup Directory Synchronization
· Install the Microsoft Online Services Directory Synchronization tool (http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652545.aspx#BKMK_InstallDirSyncTool)
o To install the Directory Synchronization tool, follow these steps from the Office 365 portal.
o In the header, click Admin.
o On the Admin page, in the left pane, click Users.
o At the top of the Users page, click the link next to Active Directory synchronization.
o Under step 4, select either Windows 32-bit version or Windows 64-bit version, click Download, and follow the instructions to save the installation file on your computer. If necessary, copy the installation file to the computer on which it will be installed.
o On the last page of the installation program, select Start Configuration Wizard now, and then click Finish.
o The Microsoft Online Services Directory Synchronization Configuration Wizard starts.
· Synchronize your directories
Publishing ADFS 2.0 using ISA/TMG
The following Steps should help you publish ADFS over ISA\TMG\IAG\UAG
First Open ISA\TMG\UAG\IAG
Right-Click Firewall Policy -> New-> Web Server Publishing Rule:
- Enter Publishing Rule Name: Federated Services
- Select Next through the next screens unless you are load balancing
- Enter the name of the URL (suggest this to be the same as the external URL and the IP of the server
- For the path /adfs/* select Forward host header
- Enter public name and the same path
- Create a new listener:
- Add Certificate
- Always authenticate No
- Domain for authentication: domain name
- Authentication Method: No Authentication
- Port 443 and 80
- Forward all HTTP to HTTPS
- Network select external IP address
- Click next
- Authentication Method select: No delegation, and client can authenticate directly
- Make sure all users are selected
- Click Finish. Then Edit the rule and change the following:
- Select the Link Translation Tab, Uncheck the Apply Link translation to this rule.
- Right Click The Rule and select HTTP and change
- General Tab, uncheck Verify Normalization and Block high bit characters boxes
- Click OK and Apply changes
Use the non-web server protocol publishing rule and select HTTPS Server as the protocol.
If the default HTTPS Server protocol still doesn’t work, create a new protocol using port 443 so that the Filter is completely bypassed