4.2. Config steps at the DNN side

On DNN side all the configuration tasks realted to the AD FS, can be done through the Glanton provider “ADFS-Pro Authentication”. There is no need to change anything in the core DNN settings.

Note

The AD FS will work only with websites that are working over the HTTPS, therefore it’s worth to consider to switch whole DNN website in HTTPS only protocol.

4.2.1. Accessing settings panel

All settings on DNN side needs to be done through the “ADFS-Pro Authentication” configuration panel. To open that panel follow steps below.

  1. Sign in to the DNN website as a “DNN Host”.

  2. Go to the “Extensions” menu, see figure below.

    _images/open-plugin-settings_01.png

  3. From the extensions category list select ‘Authentication Systems’, then click on pencil icon near the ‘ADFS-Pro Authentication’, see figure below.

    _images/open-plugin-settings_02.png

  4. Select ‘Site Settings’ tab, where configuration panel exist with all settings for ‘ADFS-Pro Authentication’ plugin, see figure below.

    _images/open-plugin-settings_03.png

4.2.2. Creating connection between DNN and AD

In order to set up communication between Active Directory and DNN website, the “ADFS-Pro Authentication” provider must have coordinates to the AD FS.

  1. First go to provider settings, these steps are described in chapter Accessing settings panel.

  2. Select Connections tab, then click on button Create new connection, see figure below for reference.

    _images/base-configuration-connection_01.png

  3. Below is a form where coordinates taken from AD FS will be added.

    _images/base-configuration-connection_02.png

4.2.2.2. Issuer

The “Issuer” property is an URL address of the security token service (STS), login service, to which to send WS-Federation sign-in and sign-out requests. The “Issuer” usually consists of two parts. Part one it’s a AD FS identifier. Second part it’s adfs/ls/. The AD FS identifier can be found here:

_images/base-configuration-connection-issuer_01.png

In our case “Issuer” will be: https://W-Server12R2.cloudapp.net/adfs/ls/

More info about that property here

4.2.2.3. Issuer Name Registry

“Issuer Name Registry” is a string (usually a url) that represents the Federation Service. To obtain the “Issuer Name Registry” for ADFS, follow steps from figure below:

_images/base-configuration-connection-issernameregistry_01.png

In our case “Issuer Name Registry” will be: https://W-Server12R2.cloudapp.net/adfs/services/trust

4.2.2.4. Certificate thumbprint

This thumbprint is taken from a “Token-signing” certificate on AD FS. The “ADFS-Pro Authentication” accepts only thumbprint not separated by the space. See figures below for reference.

_images/base-configuration-connection-certificate_01.png _images/base-configuration-connection-certificate_02.png

Applied thumbprint without spaces.

_images/base-configuration-connection-certificate_03.png

4.2.2.5. Realm

“Realm” is a identifier of your DNN application, that is used by the AD FS to know who you are. “Realm” usually has a format of URL. To obtain the “Realm” follow steps from the figure below.

_images/base-configuration-connection-realm_01.png

In our case “Realm” will be: https://w-server12r2-vs.cloudapp.net/

4.2.2.6. Home realm

The “Home Realm” is a identity provider (IdP) address, which is usually AD FS address By default “Home Realm” is equal to “Issuer”. In the WS-Federation sign-in request, the query string parameter whr is equal to the “Home realm”.

In our case “Home Realm” will be: https://W-Server12R2.cloudapp.net/adfs/ls/

4.2.2.7. Audience Uri

“Audience URI” is an address (or a list of addresses) where user will back after sign in process. After sign-in process, AD FS will send message back to “Audience URI”, which is our DNN website address. This parameter will make sure that the token was really meant for our own DNN web application.

In our case “Audience Uri” will be: https://w-server12r2-vs.cloudapp.net/

4.2.2.8. Authentication Type

The “Authentication Type” property is an URI that identifies the type of authentication that is used. Value of the “Authentication Type” property will be injected into the sign-in requet, as a query string parameter, behind the wauth key. This property is optional and by default should be empty. The allowable types for “Authentication Type” are:

  • urn:federation:authentication:windows for Windows integrated authentication,
  • urn:oasis:names:tc:SAML:1.0:am:password http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password for user name/password authentication i.e. Forms,
  • urn:ietf:rfc:2246 for SSL client authentication,

4.2.2.9. Passive Redirect Enabled

The “Passive Redirect Enabled” property specifies whether the WSFAM is enabled to automatically redirect unauthorized requests to an STS. This property is optional and by default should has value “true”, where unauthorized requests will be automatically redirected.

4.2.2.10. Unique claim

This property will inform DNN which type of the claim should be treated as unique. This property is optional and by default should be empty or equal to: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn.

4.2.3. Toggle turn ON/OFF provider

The “ADFS-Pro Authentication” can be enabled or disabled throught it’s config panel. It’s a standard process for each authentication module and this must be done for each DNN portal separately. To enable “ADFS-Pro Authentication” execute following steps:

  1. First go to provider settings, these steps are described in chapter Accessing settings panel.

  2. Now click on here link, see the mesage that has yellow background. See figure below for reference.

    _images/base-configuration-on-off_01.png

The plugin is enabled, notice message with green background on figure below.

_images/base-configuration-on-off_02.png