ADFS - Active Directory Federation Service - Federation Metadata / Endpoints

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi guys of you all during Road and welcome to the fourth video of the entire series that I will be creating for Active Directory Federation services in the previous video I've talked about the lab configuration how you can install and configure a DFS with the help of your internal CA SSL certificate I also recommended for the production environment you should go with the public certificate and now in this video I'm going to talk about Federation metadata and endpoints that are used by a DFS if you guys learn something new from this or from any of our videos please feel free to subscribe so after watching this video for around 15 to 20 minutes or after spending around 20 minutes on this particular video you'll exactly know what are a TFS endpoints what are the purpose of a DFS endpoints I also try to cover this in the second video but in this video I'll be going deep and I'll be showing you some more information that are related for a TFS endpoints the next thing that I'm going to talk about is what is a TFS Federation metadata what is the information inside Federation metadata and how application use Federation murder data to send authentication requests now if you have already been working on a DFS or if you are a beginner there is a very one common interaction which you will have with all of your application vendors and that is they must be asking you to provide the Federation metadata of your ad FS server so I'm going to tell you that that when they ask a federation read of your ad FS what is the purpose behind that and what all information is there inside the Federation metadata but to proceed with this I'll start off with endpoints now since we all know that endpoints are actually the entry point for any of the application to send any request to your ad FS now when I say any request what do I mean by this that the applique can be a website it can be a Native Client application as well an example is Microsoft Outlook for a website you can think of bottled office com so these are two different kind of applications which we'll be using two different type of user agents in browser in Portal Rafa's com it will be a browser an Outlook it will be a native lined up so in order to receive the request from two different kind of applications there will be different kind of end points which ad FS hosts so let's take an example for that and let's understand that if the request is coming from browser-based authentication it should reach ad FS LS endpoint if a request is coming from active client application the common endpoint which is accessed is trust - max now this in point is actually accessed when your application doesn't support modern authentication so basically in short modern authentication is something where in everything is going to ad FS LS n point I will be creating a different video for that don't for it right now for this rec just understand the obligations which doesn't support modern authentication rich client applications they actually contact Max and point of ad FS and in the same way there is a specific end point for Federation metadata of AD FS so in short if we talk about the core definition of an end point it's actually an entry point which is used by ad FS to receive the authentication request or any request likewise accessing your Federation metadata as well so now I'll switch to my machine and I'll show you something more which is related to your endpoints of the area first server so for that in order to check the list of all the endpoints what you can do is you can simply type get - a TFS end points on the machine on which you have a DFS and all the end points will get listed the attribute which is important for us is full URL so as you can see these are all the different end points which a DFS hosts and on which you can't send requests so the end points which we discussed were a DFS service crust max endpoint M e exhale stands for meta data exchange the other endpoint which we talked about was a DFS LS endpoint and as you can see there is one specific endpoint which is actually accessed to know more details about Federation meta data but let's talk about these endpoints or in short let's talk about all the endpoints what is common is the spot which is HTTP a DFS concepts work.com /a DFS forward slash services forward slash crust and max so if I copied this information and if I open notepad what you will see here this first part is something that is the name of your a DFS service so if I go here and I will click on edit Federation service properties as you can see the showing here a DFS concepts work.com and the second part of your endpoint is actually the reference of what kind of information it can receive and from what kind of application now this was all about endpoints and how endpoints work when they receive any requests there is one more thing which I would like to add on here and that is this part that you see here which is STD PS this actually means that every endpoint which is a while lawn area fisk is secured and wild has been secured because a DFS setup requires an ssl certificate now I'll show you some more details on this and then we'll move on what the Federation metadata so if I try to access this endpoint let's see what all information we get I'm getting some sort of information which is an XML that will be used by my active client application but if you see at the top and if I try to view the certificate what I will get here is that this certificate was issued to a TFS concepts worldcom and let me just check the term front of the certificate it ends up with 8 3 6 5 so what I'll do now is I'll go back to my ad FS console and I will quickly check what is the thumbprint of my SSL certificate that I used for setup it's 8 3 6 5 now what does this mean that the SSL certificate that you will be using for installing ad FS will be binded with all the endpoints of your ad FS so this was all about how endpoints work in ad FS the next thing that I'm going to talk about is ad FS Federation metadata and for that let's assume there is a user who will be logging in on an application and that application has to send the authentication request to our ad FS server but if we talk about the core definition of AD FS or ad FS Federation metadata it it is something which which actually means that data about the services offered by an entity now Federation metadata is not a keyword that's only used with a DFS it has a commonly used keyword in the name is identity model and since adfs is an identity provider so we used the term Federation metadata for a DFS as well so let's consider an scenario wherein you have Active Directory Federation service installed on a server and this ad FS server will have certain endpoints to receive what indirect authentication request from different type of applications it could be a browser it could be a Native Client app and then it will issue a token to your application but before all this can happen the first thing which has to be done and that is the application has to send our authentication request to a a DFS endpoint now the question comes how does application knows that this is the particular end point where I have to send the authentication request but that's the reason why every application vendor asks this question that can I get the Federation metadata of your area FS server i've shown you before the end point from which you can access the federation metadata of your ad FS server so you can use this particular link in our case it is a DFS concepts work federation matter a dot 2007 - 6 rotation method or XML so if any application vendor will contact me that I need the Federation metadata of your ad FS server I'll access this link I'll download the file and I will give that file to the application vendor then the application vendor has to extract some sort of information from this filtration metadata and embed that in the application so now the question comes what kind of information so if we move on the application has to request a token from a TFS and once a DFS has given the token to the application for the respective user the application has to read the information inside the token so what all an application is doing is the very first thing it has to send an authentication request and for that it needs area first endpoint then the application has to read the claims inside the token for that application needs the token signing certificate this might be something new which I have just added but don't get infused for this demo assume that in order to read the token which adfs provides to an application area first token signing certificate is required but I will be briefly talking about certificates I'll let you know why it is required the third and the final step which this application will be doing is knowing what kind of claim has been sent to me that means whether it is an email whether it is a contact number whether it is a name of the user and guess what these three information which actually application needs exists in Federation metadata so now if I talk about a TFS Federation metadata it actually contains the details about the endpoints the details about the claims that it can issue and the token signing certificate which will be used by your application to access the information inside the token now let me show you this on my ad FS machine and then it will make more sense so in order to know the Federation metadata URL of your ad FS server again do get - ad FS endpoint select full URL and you will see a link or an endpoint getting listed here what does ad FS concepts work Federation metadata at two thousand seven six Federation metadata dot XML this is for me or with this and I'll go to a browser and I will access this particular link now this is the set of information which I'm getting now and I'll try to be view about some of the very common things and which are important which you can refer to and that is let's start from the beginning so the first thing that you see here is entity ID which is a TFS concepts work a DFS service trust this is basically the identifier of your a DFS service so if I right click here and I'll click on edit Federation service properties you see this ad FS concepts work comm ad FS service trust and this is the same information which is mentioned here now let's move on to the next part and that is about the claim description so if you go to a DFS and click on this option of claim description you will find the list of all the claims that can be issued by this particular ad FS server now the first option that you see here is email and it has three sorry four attributes name short name claim type and description if you go back to your Federation metadata you will find the same information and that is earth claim type which is email address the URI is email address the name is email address and the description is the email address of the user now see I can copy this information into a notepad and there is one more way to access this information and that is get - a DFS claim description - name our and the name I'm going to type the name of the claim which is this and I will copy this information I'll go back to my notepad and paste this information so my agenda here to show you guys all this is that you can access the same set of information in multiple ways but Federation metadata is something that contains the information relative to your ad FS server that will be used in the authentication process so you need endpoints information you need claim description and then the last thing that you need is token signing certificate which will be used by your application to access the information inside the token but I would also like to show you the endpoint details and for that what I can do is I can just scroll down to the bottom and I'll get the list of endpoints now you can see these are all endpoints getting listed here HTTP ad FS concepts work comm 4/8 EFS /ls ok so the last thing that I have to show you now is the token signing certificate which is available in the Federation meta data itself so for that what I will be doing is I will be going to this particular location and I will be accessing this Federation meta data in the notepad and what you have to do is you have to do ctrl F and then do sign in and this is the certificate the token signing certificate which is available in the Federation metadata so what you can do is you can just open a notepad and save this information as let's say touken dot cer and i'm going to save it on my machine click on save got it now i'll navigate that particular location I'll open the certificate and as you can see the shown now ad FS signing ad FS concepts were calm I'll go to details and then I'll check the thumbprint it is showing here as five one six nine let me go back to my ad FS click on certificates and then I'll open the signing certificate and I'll go to thumbprint and I will check here five one six nine as you can see it's the same certificate so 80 FS Federation metadata contains information about the certificates it contains the information about claim description on it also contains the information about endpoints don't worry about the plain description that I have discussed here I will be discussing it in more detail and the video that I will be talking about claims role of claims and claim rule language so this was all about this particular video and where we have covered more over all the details that are required for ad FS endpoints for you to know we have also talked about a TFS Federation metadata in the next video I'm going to talk about relying party and how you can add a relying party trust for your application so that your application can send the authentication requests to your ad FS so if you guys have learned something new please feel free to subscribe if you have any questions waiting feedback or suggestion please feel free to reach me at learned concepts work at gmail.com thank you so much guys thanks for your time have a great day ahead bye bye
Info
Channel: Concepts Work
Views: 27,278
Rating: undefined out of 5
Keywords: Active Directory Federation Services, ADFS, Federation Metadata, ADFS federation Metadata, ADFS Endpoints, ADFS Deep dive, Active Directory, Claim based Identity, claims, adfs basics, adfs lab, adfs sso, adfs authentication, adfs federation metadata
Id: RblwNli2qLE
Channel Id: undefined
Length: 19min 41sec (1181 seconds)
Published: Sun Mar 03 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.