![[Integration] ADFS as the Identity Provider for Adxstudio - Part 1 - Overview](http://dyn365apps.com/wp-content/uploads/2017/01/Integration-ADFS-as-the-Identity-Provider-for-Adxstudio-Part-1-Overview.png)
Adxstudio is pre-configured with a Forms based authentication mechanism based on ASP.NET Identity. The Dynamics 365 entity, Contact, is used to store username and password information. Some organisations have stricter security policies which states that, user credentials and business data MUST NOT reside on the same database. The OOTB authentication mechanism is not suitable for such scenarios and a third party identity provider must be used such as Facebook, Azure AD, Google, or Microsoft Account. In this particular instance, the Portal Users are employees who would use their organisation’s AD account to login to the Portal remotely. We decided to use ADFS as the identity provider. In this, I’ll discuss the architecture and infrastructure design of the solution. Please note, in this scenario, all employees are required to be licensed users. This organisation elected to purchase Employee Self-Service licences for all remote users.
High Level Architecture
Internal
The internal network includes the Domain Controller, ADFS, SQL Server, and Dynamics 365 Server. This is a standard setup and internal users use their Windows PCs to login to Dynamics 365.
ADFS Server
A Relying Party Trust for Adxstudio Portal is configured in Active Directory Federation Services (ADFS) server.
DMZ
Demilitarised Zone (DMZ) includes a Web Server to host the Adxstudio Portal and server to host Web Application Proxy.
Web Application Proxy (WAP)
Web Application Proxy is configured to translate and pass through the requests to ADFS server in Internal network. This is a more secure way than exposing ADFS directly. For more information, please refer to below article.
https://technet.microsoft.com/en-us/library/dn486832(v=ws.11).aspx
In the context of AD FS, Web Application Proxy functions as an AD FS federation server proxy. In addition to this, Web Application Proxy provides reverse proxy functionality for web applications inside your corporate network to enable users on any device to access them from outside the corporate network.
Adxstudio
Adxstudio was configured to use ADFS as the Identity Provider.
Authentication Process
Authentication process is a lot more complex than the OOTB Form Authentication. Below diagram demonstrates the process.
Step 1
Remote User enters the URL of Adxstudio Portal. If the remote user is already authenticated, then the secure page will be visible to the remote user.
Step 2
If the user is not already authenticated, then the he/she with be redirected to ADFS Login Page. But ADFS Login Page is not directly accessible. The redirect request will go to Web Application Proxy (WAP).
Step 3
WAP translates the request and passes it through to ADFS server.
Step 4
ADFS Server process the request and redirects the user to ADFS Login Page.
Step 5
WAP translates the request and displays the ADFS Login Page to the remote user.
Step 6
Remote user enters AD credentials in to the ADFS Login Page.
Step 7
WAP translates the request and passes it through to ADFS server.
Step 8
ADFS server authenticates the user against Active Directory and issues a token.
Step 9
Active Directory validates the user.
Step 10
ADFS server issues an authentication token and directs the user to Adxstudio Page.
Step 11
Adxstudio then uses the information sent from ADFS to check if the corresponding Contact record exists in Dynamics 365.
Step 12
Dynamics 365 returns the Contact results to Adxstudio.
Step 13
If the Contact doesn’t exist, or not configured correctly, Adxstudio will create a new user. Otherwise, user is authenticated.
Step 14
Remote user is now able to view secure pages.
Important things to note
A user must exist in Active Directory.
If the Contact record is not correctly configured, then a new Contact record will be created. There should be one External Identity record associated with the Contact which includes relevant details of the ADFS server. Adxstudio takes care of this, when the Contact is created for the first time.
In next parts of the series, I have included detailed walk throughs of the configuration steps.
[Integration] ADFS as the Identity Provider for Adxstudio – Part 2 – Configure ADFS Server
[Integration] ADFS as the Identity Provider for Adxstudio – Part 3 – Configure Relying Party Trust
[Integration] ADFS as the Identity Provider for Adxstudio – Part 4 – Configure Web Application Proxy
[Integration] ADFS as the Identity Provider for Adxstudio – Part 6 – Configure Adxstudio
Thank you for visiting Dyn365Apps.com.
Follow me on Twitter to get the latest news, tips and tricks and more …
Until next time…