Avi Vantage Integration with Microsoft Active Directory Federation Services (ADFS)

An Avi virtual service’s ability to act as a service provider is key to support of Security Assertion Markup Language (SAML), starting with release 18.2.2. To fulfill this role, the Avi virtual service sends authentication requests to an identity provider (IDP), responses from which govern user access to back-end applications running in Avi pools. Multiple third-party integrations have been implemented by Avi Networks to give customers a choice of IDP. This article outlines the steps necessary to enable ADFS as IDP.

Avi as SP and ADFS as IDP

ADFS configuration step

Prerequisite Steps

  1. Set up the ADFS server and the service account for it.
  2. Ensure the SSL certificate has been installed and that the server is accessible over HTTPS, with an FQDN name the same as the CN in the certificate.

Note: Read this document to understand some key ADFS terms for ADFS. Follow the instructions in this document to configure the ADFS server.

  1. Test your ADFS server by following this URI: https://<adfs_fqdn>/adfs/fs/federationserverservice.asmx
    It should render the output as shown in the image below.

    ADFS configuration step

Configuring ADFS As IDP

  1. Open the ADFS management console.
  2. Under Trust Relationships, right click on Relying party trusts and select Add Relying Party Trust.

    ADFS configuration step

  3. The Add Relying Party Trust Wizard will open; click on Start.

    ADFS configuration step

  4. Select the Enter data about the relying party manually option and click on Next.

    ADFS configuration step

  5. On the next screen, provide Display Name and click on Next.
  6. Select the AD FS profile option and click on Next.

    ADFS configuration step

  7. Click on Next on Configure Certificate tab.

  8. On the Configure URL screen, select Enable support for the SAML 2.0 WebSSO protocol and enter the SP URL as shown below. This should match the SSO URL on SP.

    ADFS configuration step

  9. Enter the Relying party trust identifier. It should be same as the entity ID on your SP.

    ADFS configuration step

  10. Choose the first option as shown below and click on Next.

    ADFS configuration step

  11. Select the Permit all users to access this relying party option and click on Next.

    ADFS configuration step

  12. Click on Next on Ready to Trust tab.

  13. Click on Close.

    ADFS configuration step

  14. The Edit Claim Rules wizard will appear. Click on Add Rule.

    ADFS configuration step
  15. Make a selection from the Claim rule template pulldown and and click on Next.

    ADFS configuration step

  16. On the Configure Claim Rule screen, add the name, choose the Attribute store and add the mapping of required attributes as shown in the screenshot below.

    ADFS configuration step
  17. Click on OK. Click on Apply and click on OK again.
  18. Right click on App name and select Properties from the pulldown menu.

    ADFS configuration step

  19. Select the Endpoints tab and add the SSO URL as shown in the screenshot below. This should match the SSO URL on SP.

    ADFS configuration step

Check the Identifier to make sure it is correct and match the Entity ID. Now your IDP is ready.

Metadata can be downloaded from this link:

https://<adfs_fqdn>/FederationMetadata/2007-06/FederationMetadata.xml

Once configuration is complete on ADFS, configure an Avi virtual service to act as service provider by following the instructions given in the SAML Configuration on Avi Vantage article.