Dynamics 365 IFD ADFS and external IdPs
All articles from this blog can ONLY be redistributed on an Attribution-NonCommercial-NoDerivs basis. Please credit the source, thank you.
Twitter:@kelvinshen
Blog:Kelvin Shen's Blog
The Problem
Enterprises with an existing centralised (non-Microsoft) Identify Provider (IdP) may frown upon the idea of introducing another new ADFS based IdP in parallel.
The standard method is to use an ADFS server both as an IdP and an SP. So are the alternatives? So let’s break thing down a bit.
WS-Fed vs SAML vs OAuth vs OpenID Connect
WS-Federation: Old school and light weight. Supported by Microsoft and IBM. WS stands for web service. SAML: Old shool and more complex but perceived to be more secure. OAuth + OpenID Connect: OpenID Connect adds authorization to OAuth. Azure AD supported OpenID.
Above three are alternative sign-in protocals? The key here is WS-Fed protocal because that is the one Dynamics 365 uses.
Note to My Future Self
Before drowning myself in pot of protocals, ask the following questions:
- What is Sign-in protocal?
- What is the Token Type?
Decomposing the Components
ADFS as an SP (Service Provider)
How can you setup an ADFS server as SP for Dynamics 365?
- Configure D365 server for IFD. Define the 3 identifier endpoints (auth.contoso.com, orgname.contoso.com, dev.contoso.com)
- Download the FederationsMetadata.xml
- Import the FederationMetadata.xml to the correspondant ADFS server.
That is right. The standard setup steps from msdoc.
The default IdP for an ADFS server is Active Directory (AD). However, you can totally use alternative IdPs and make one of them as a primary IdP for the ADFS server.
ADFS as an IdP (Identity Provider)
The IdP setup of ADFS has nothing to do with D365. It is a pure ADFS configuration.
Alternative IdP Products/Services
- (RedHat) KeyCloak
- PingFederate
- RealMe (service from NZ government)
PingFederate
KeyCloak
Here is an Stackoverflow example of using KeyCloak to act as an SP to an ADFS IdP. I am not sure D365 will work with KeyCloak as an SP.
Build Custom IdP Adapters
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method
Identity Server
I will leave this to another blog post. It seems to be relevant.
Real World Anecdotes
According to the anecdotes people told me, there are far more failures and successful stories from previous project experiences. Plus, Microsoft will not support such a setup. So, you should definitely put it down as one of the risks of a project.
SP Initiated SSO vs IdP Initiated SSO
OAuth Components Responsibilities
Token Server - Sign security tokens with a private key. An ADFS server is a token server and complies with the STS standard. Authentication Server - Active Directory server is an example of it Resource Server - Your application server
Terminologies
| ADFS 2.0 name | PingFederate name | Concept |
|---|---|---|
| Security Token | Assertion | A collection of XML-formatted security information, describing a user, that is created and consumed during a federated access request |
| Claims Provider | Identity Provider (IdP) | The partner in a federation that creates security tokens for users |
| Relying Party | Service Provider (SP) | The partner in a federation that consumes security tokens for providing access to applications |
| Claims | Assertion attributes | Data about users that is sent inside security tokens |
Source: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/gg466930(v=ws.10)
- STS = Security Token Service (A cross-platform SSO framework standard)
- SAML = Security Assertion Markup Language
- JWT = Json Web Token (Encrypted)
- OAuth is a authorization Protocal
- Claim-based identity is a high level term for describing a way to decouple your application code