Q. I'm new to ADFS and am trying to understand the various navigation areas of the ADFS Management application. Can you provide a good reference?
A. Active Directory Federation Services is the Windows in-box federation solution and is a key component of Microsoft's identity solution. Its mandatory for roles such as Web Application Proxy. If you launch the ADFS Management application there are a number of different navigation items and it can be confusing what role each plays. In this FAQ I will walk through each item. The figure below shows the navigation view.
Service - Endpoints
These are valid URLs containing data from which dta can be fetched. This data will be returned in an XML format. For example, one such endpoint is /adfs/portal/updatepassword which, if enabled, enables a user to change their password if they are using a Workplace joined machine, authenticated via ADFS, and whose password has expired. Another example is /FederationsMetadata/2007-06/FederationMetadata.xml which returns the federation metadata of the ADFS server enabling other services to ascertain available services, expected data and so on.
Service - Certificates
A certificate is used for communication to ADFS, i.e. HTTPS which is the Service communications certificate and then additional certificates are used for the token-signing and decrypting. Multiple sets of token certificates may be present depending on the organizations that are federated with.
Service - Claim Descriptions
This represents the claims that can be used in the tokens.
Trust Relationships - Claims Provider Trusts
These are sources for identity to be used in claims, i.e. "who am I" and various attributes. Active Directory in AD FS 2012 R2 is the only source available for authentication. In addition to authorization there can also be sources for attribute fetching, e.g. maybe an LDAP or SQL source. Consider wanting to fetch an employee number that is not stored in Active Directory. Windows Azure Pack provides a Claims Provider Trust which publishes a UPN.
Trust Relationships - Relying Party Trusts (was once called 'resource providers')
This defines where I want to access, where I want to log in via ADFS. These interactions are verified through certificates. These can be Relying Party Trusts or Non-Claims Relying Party Trusts. Relying Party Trusts leverage claims where Non-Claims Relying Trusts are targets that are not claims aware and instead may utilize integrated authentication and therefore Kerberos Constrained Delegation is used to handle the authentication instead of claims.
One useful option here is to enable Monitoring and if enabled, changes are automatically detected. For example, if the certificate was changed this would automatically be picked up and used.
Trust Relationships - Attribute Stores
These are sources to get additional attributes that could not be retreived from identity sources.
This contains global policies for the system related to types of authentication from the Extranet (i.e. came via Web Application Proxy which sets a claim insidecorporatenetwork to false) and types of authentication for authentication on the Intranet (i.e. did not come via Web Application Proxy). It also enables configurations related to how Workplace joined machines are treated and how certificates can be used. The use of Multi-Factor Authentication can also be configured.
Authentication Policies - Per Relying Party Trust
Enables policies to be set that override the global policies for specific relying party trusts.