Summary of steps necessary to implement ADFS
- We need to build a server for the ADFS role (and add it to the domain).
- We need to import a SSL certificate on the ADFS server.
- We must install and configure ADFS itself.
- We must configure Office 365 for federated authentication.
Comments on the ADFS server(s)
But even this is not a complete solution.
ADFS uses four certificates:
- A certificate for communications between clients (users) and ADFS servers
- A "service communications" certificate to secure traffic between federation servers (our ADFS servers and the Office 365 ADFS servers, for example).
- A "token-decrypting" certificate
- A "token-signing" certificate
In a previous blog post, I provided some directions about the procedure with the vendor "Certificates for Exchange".
Installing a third-party certificate on Exchange (2007 - SP3)
At this point, I will make the assumption that you have obtained a certificate signed by the certificate authority of your choice and have downloaded it to the server on which you created the request file. In some cases, this involves extracting the certificate from a compressed file, often a .zip file, that sometimes includes additional certificates called intermediate certificates. These certificates (if they are provided) must be installed as well.
In my case, there are two intermediate certificates. However, since I only really need them installed on the ADFS server, I will demonstrate that later. For the time being, I will install and then export the requested certificate on the server with IIS so it can be imported on the ADFS server.
Note: I will only summarize the steps that follow, without necessarily inserting a screenshot for each action.
First, we return to the IIS management console where we created the certificate request but now we click on "Complete Certificate Request" in the Actions pane. Follow the prompts. Essentially, you will be asked to navigate to the location where you downloaded the certificate and then install it:
As soon as the certificate is installed, we will export it. As shown below, click on the certificate itself and then select "Export" in the Actions pane:
Now we are almost ready to import the (exported) certificate to the ADFS server.
First, we may (or may not) have to import an "intermediate certificate". I prefer to explain this process somewhat quickly because details may differ between vendors, assuming once again you have to import such a certificate at all.
In my case, the intermediate certificates were included in the .zip file downloaded from the vendor's website. I extracted these certificates to a folder on the IIS server, installed and then exported them. Next, I copied them to a folder on the ADFS server. In the screenshots below, I open the Certificates MMC (for the "Local Computer" - not "User") and navigate to that folder (yes, on the ADFS server).
Note: such a MMC does not exist by default in Administration Tools; you have to open a fresh MMC (enter mmc in "Run") and add the Certificates snap-in, for the Local Computer once again.
So once we have opened the MMC, navigate to the location indicated below and select "Import". Then follow the prompts to import the intermediate certificate.