It was an interesting topic and a challenge for us, as we have never done this kind of things previously. How can we access our local active directory user on the internet, that was my first question when I read the requirement from one of my client.
Find the approach:
We have started searching on the internet to find a solution for this and finally found the solution using Azure. One of the Azure features is to sync your on-premise Active Directory on Azure account. We have asked the client to make on-premise active directory sync with the azure account first.
We need to perform 2 task to implement this.
Task 1. Create the VS 2013 application for authentication
Task 2. Add Rely trusted party in ADFS.
First, I will provide you steps for Task1.
Following are steps which you need to perform to achieve this requirement
Step 1: You need to use Visual studio 2013.
create a new project and choose Visual C# and asp.net web application
Please see following screen shot to choose option
Step2: choose MVC application, and click on change authentication button
Step3: as soon you click “change Authentication” button.
You will see the following option as per screenshot. Choose “Organizational accounts” and from right side pane Dropdown choose “On-Premises”.
Step4: as soon as you choose “On-Premises”, you will get two text box which needs On-Premises Authority URL and App ID which you want to authenticate through this.
On-Premises Authority: Here you need to provide yours on-premises federation XML path which will be provided to you by your IT Administrator.
APP ID URI: This is where you need to provide your Local application URL or your existing running Internet application URL which you want to authenticate by the on-premises user.
After completing all 4 step with correct data, VS 2013 will create an application for you which will authenticate your on-premise user for your application.
these above 4 steps are required to
your application is ready to use the on-premise user with your application. only thing is that need to deploy this solution on your hosted environment and tried to log in with the on-premises user.
You can customize your this solution for the look and feel and write some code for logout process as per your other requirement.
Note: There are certain setting required apart from your VS 2013 which is at your local active directory server.
For login, when you browse your URL which you provide in APP ID URL, it will show you automatic Microsoft Login window, where you can enter your ON-Premises user credentials and here you can do successful login with your user.
It is just simple. But this simple things has taken our 1.5 weeks of time just because we don’t have the environment ready and proper steps with correct information. At certain points, we are unknown with new terms called
App id URL, on-premises authority, ADFS(active directory federation service), Organizational accounts, Cloud and many more.
Now, this blog will provide you with all the information with steps by which you can serve it within 1 hrs of time provided environment is ready on hand with you.
Task 2: How to add Rely party Trust for your application URL?
following steps will be performed by IT administrator.
You need to open your local server where your AD(Active directory) is created. If you will search you will find Active directory federation service running on the same computer. You need to open that service. As soon as you will open this service. You need to add Relying Party Trust.
It will look like this.
Step 1 – Adding a Relying Party Trust
Select the Relying Party Trusts folder from AD FS Management, and add a new Standard Relying Party Trust from the Actions sidebar. This starts the configuration wizard for a new trust.
1. In the Select Data Source screen, select the last option, Enter Data About the Party Manually.
2. On the next screen, enter a Display name that you’ll recognize in the future, and any notes you want to make.
3. On the next screen, select the ADFS FS profile radio button.
4. On the next screen, leave the certificate settings at their defaults.
5. On the next screen, check the box labeled Enable Support for the WS-Federation Passive protocol. The service URL will be https://www.example.com, replaced www.example.com with your actual application URL. Note that there’s no trailing slash at the end of the URL..
6.on the next screen, you may configure your URL identifier.
7. On the next screen, you may configure multi-factor authentication but we don’t require to go into that flow.
8. On the next screen, select the Permit all users to access this relying party radio button.
9. On the next two screens, the wizard will display an overview of your settings. On the final screen use the Close button to exit and open the Claim Rules editor.
Step 2 – Creating claim rules
Once the relying party trust has been created, you can create the claim rules and update the RPT with minor changes that aren’t set by the wizard.
By default, the claim rule editor opens once you created the trust.
1. To create a new rule, click on Add Rule. Create a Send LDAP Attributes as Claims rule.
2. On the next screen, using Active Directory as your attribute store, do the following:
- From the LDAP Attribute column, select E-Mail Addresses.
- From the Outgoing Claim Type, select E-Mail Address.
3. Click on OK to save the new rule.
4. Create another new rule by clicking Add Rule, this time selecting Transform an Incoming Claim as the template.
5.On the next screen:
- Select E-mail Address as the Incoming Claim Type.
- For Outgoing Claim Type, select Name ID.
- For Outgoing Name ID Format, select Email.
Leave the rule to the default of Pass through all claim values.
6. Finally, click OK to create the claim rule, and then OK again to finish creating rules.
Now you are ready to test your application to log in with the on-premises user.
Hope, now after reading my article, one can deploy the complete solution.
Following are reference links on the similar topic.