1
00:00:03,070 --> 00:00:07,570
Now let's look at a great resource that provides tools and guidance on ad FS.

2
00:00:08,500 --> 00:00:12,370
Microsoft has a site at ADV, Shell, dot microsoft.com.

3
00:00:13,240 --> 00:00:18,280
There are some quick links to tools at the bottom, but let's go up to the top and start with the online

4
00:00:18,280 --> 00:00:18,790
tools.

5
00:00:19,660 --> 00:00:21,580
Let's go to the overview page.

6
00:00:22,450 --> 00:00:26,860
There's a diagnostics analyzer that you can download to your ad FS server.

7
00:00:27,790 --> 00:00:33,910
You run a PowerShell command that runs a series of tests on your ADF's form and outputs a JSON file

8
00:00:33,910 --> 00:00:36,310
that you can upload to the site and view the results.

9
00:00:37,240 --> 00:00:39,370
I'll be showing you this in the next clip.

10
00:00:40,240 --> 00:00:46,150
Then there's this claims x ray tool that lets you call ADF's using different protocols and see the claims

11
00:00:46,150 --> 00:00:46,960
that are returned.

12
00:00:47,910 --> 00:00:49,220
I'll show you that shortly.

13
00:00:49,230 --> 00:00:54,360
But in the next module, we'll be building our own tool using ASP.NET Core to view claims.

14
00:00:55,260 --> 00:01:00,120
There's a tool to help with troubleshooting the claims rules that get set up when you configure a relying

15
00:01:00,120 --> 00:01:06,240
party trust with Azure AD will be configuring that type of federation later in the course.

16
00:01:07,170 --> 00:01:11,670
Then there's a list of adverse events for a few different versions of ADF's.

17
00:01:12,630 --> 00:01:16,530
So this website isn't just for for 2019.

18
00:01:17,430 --> 00:01:20,460
There's a tool to decode JWT tokens.

19
00:01:21,330 --> 00:01:26,520
And in the next module, when we examine those tokens, I'll show you another site that lets you do

20
00:01:26,520 --> 00:01:26,710
this.

21
00:01:26,730 --> 00:01:33,420
Also, there's a tool to examine the Federation metadata XML document that's published by your ADF's

22
00:01:33,420 --> 00:01:38,790
server and that's used by partner organisations to create trusts as well as by applications.

23
00:01:38,790 --> 00:01:44,040
You're federating with ADF's in order to get information about the claims published and the certificates

24
00:01:44,040 --> 00:01:45,330
used for token signing.

25
00:01:46,170 --> 00:01:51,750
And at the bottom there's a utility that can help you format claims values in JSON format when you're

26
00:01:51,750 --> 00:01:54,090
configuring your own custom claims rules.

27
00:01:54,990 --> 00:01:58,980
Let's go to the top and take a look at one of these tools claims X-ray.

28
00:01:59,850 --> 00:02:06,660
In order to use this, you need to set up a relying party trust in ADF RFS for this application that

29
00:02:06,660 --> 00:02:10,980
allows all the redirects to happen and the claims to be returned to this application.

30
00:02:11,100 --> 00:02:15,450
Even though you aren't hosting the application itself, it's just running in the browser.

31
00:02:16,370 --> 00:02:21,110
You need to run some PowerShell on your ad FS server to set up the relying party trust.

32
00:02:21,110 --> 00:02:22,790
And I've actually done that already.

33
00:02:23,720 --> 00:02:25,430
So let's go to the next step.

34
00:02:26,310 --> 00:02:31,830
Here you enter the name of your ADF's service, which you should have a DNS entry for already.

35
00:02:32,730 --> 00:02:38,160
Then you choose the authentication method you want to use and this gets sent as a query string parameter

36
00:02:38,160 --> 00:02:39,900
as part of the sign in protocol.

37
00:02:40,020 --> 00:02:41,550
Then you choose that protocol.

38
00:02:42,450 --> 00:02:48,180
Depending on the organisation or application you're federating ADF force with, you'll choose the protocol

39
00:02:48,180 --> 00:02:48,930
it supports.

40
00:02:49,830 --> 00:02:51,830
We'll get into this more throughout the course.

41
00:02:51,900 --> 00:02:58,620
But basically these are all open standards and you choose WCF when integrating with another ADF's server

42
00:02:58,620 --> 00:03:05,140
to federate organisations, you'd use the SAML for many third party web applications like Salesforce.

43
00:03:05,160 --> 00:03:07,860
So you can log in through ADF's and OAuth.

44
00:03:07,890 --> 00:03:12,990
2.0 is a web standard used by modern applications for delegated authorisation.

45
00:03:13,830 --> 00:03:18,390
We'll be building an application in the next module that uses 0f2 point zero.

46
00:03:19,230 --> 00:03:23,070
Let's use WCF ID and click test authentication.

47
00:03:23,940 --> 00:03:27,150
That opens another tab where we get redirected to the ADF.

48
00:03:27,150 --> 00:03:30,150
First sign in page running on our ADF RFS server.

49
00:03:31,060 --> 00:03:36,970
I log in with my credentials and we get authenticated and the claims returned by ADF's show here.

50
00:03:37,880 --> 00:03:42,710
So if you want a quick way to view claims, if you're modifying claims rules in advance.

51
00:03:42,920 --> 00:03:44,780
This is a tool to see the results.

52
00:03:45,680 --> 00:03:51,170
There's information about the authentication method, the username user principle name, and these are

53
00:03:51,170 --> 00:03:53,060
just the default claims returned.

54
00:03:53,960 --> 00:03:58,970
When we get into configuring claims, you'll see how to send different claims like roles and other claims

55
00:03:58,970 --> 00:04:03,740
from Active Directory and even send custom claims stored in a SQL Server database.

56
00:04:04,610 --> 00:04:08,960
There's information here about how long the authentication token is valid for.

57
00:04:09,840 --> 00:04:15,030
There's information about the certificate used to sign the token, and the raw token is at the bottom

58
00:04:15,030 --> 00:04:21,660
in the format that's returned, which depends on the sign in protocol that was selected for WCF.

59
00:04:22,230 --> 00:04:25,410
This is the SAML 1.1 token format.

60
00:04:26,280 --> 00:04:31,920
Now let's go back to the claims X-ray page and let's choose the OAuth protocol for the token request.

61
00:04:32,820 --> 00:04:38,430
Now we get an error and it says we need to have ad fs published to the Internet in order to use this

62
00:04:38,430 --> 00:04:39,120
protocol.

63
00:04:40,040 --> 00:04:42,830
You'll see how to publish HDFC later in the course.

64
00:04:42,830 --> 00:04:48,260
When we install web application proxy and when we create our own app to view claims, we'll be able

65
00:04:48,260 --> 00:04:50,480
to use OLA within the test environment.

66
00:04:51,380 --> 00:04:56,510
Now let's go back to the top and look at another tool, the Federation Metadata Explorer.

67
00:04:57,440 --> 00:05:02,180
Let's enter the name of the Federation Service again and click Get Federation metadata.

68
00:05:02,360 --> 00:05:04,520
And we have a similar problem here too.

69
00:05:05,360 --> 00:05:10,910
This tool only works when ADF's is published to the Internet through web application proxy.

70
00:05:11,810 --> 00:05:14,540
Chances are you will be publishing your service that way.

71
00:05:14,630 --> 00:05:18,680
But in the demo environment here, we're not able to use some of these tools yet.

72
00:05:19,550 --> 00:05:23,540
Let's move on to the next tab on the troubleshooting page.

73
00:05:23,660 --> 00:05:27,860
There are a number of common issues listed and links to aid in troubleshooting.

74
00:05:28,730 --> 00:05:30,860
Now let's look at the offline tools.

75
00:05:31,790 --> 00:05:33,290
These are pretty handy.

76
00:05:34,220 --> 00:05:39,410
I mentioned that ADF's help isn't just intended for ADF first 2019.

77
00:05:40,310 --> 00:05:45,440
So there's a link here to a GitHub project for an adapter that makes a user's password available as

78
00:05:45,440 --> 00:05:49,730
an additional authentication method after another method is used as the primary.

79
00:05:50,610 --> 00:05:58,230
This functionality is actually now built into ADF's 2019, so this link applies to ADF 2016.

80
00:05:59,100 --> 00:06:03,870
There are some sample projects here to show you how to create custom plugins for the risk assessment

81
00:06:03,870 --> 00:06:09,270
model that lets you run custom code at different stages of the ADF's claims pipeline, and I'll talk

82
00:06:09,270 --> 00:06:11,240
about that later in the course too.

83
00:06:12,090 --> 00:06:16,260
At the bottom here there's a link to the ADF for a rapid restore tool.

84
00:06:17,180 --> 00:06:19,610
I'll be showing you that later in this module.

85
00:06:20,510 --> 00:06:21,590
Back up at the top.

86
00:06:21,770 --> 00:06:26,330
There are a couple more links under the reference tab and these are just references to the different

87
00:06:26,330 --> 00:06:31,580
events you might find in your logs on the ADF's server and they're grouped by ADF's version.

88
00:06:32,450 --> 00:06:36,530
There's also a list of error codes related to Azure sign in's with ADF.

89
00:06:36,530 --> 00:06:36,890
S.

90
00:06:37,820 --> 00:06:44,270
So ADF's help is a new tool that provides resources to help you with troubleshooting your ADF deployment.

91
00:06:45,170 --> 00:06:48,500
Let's look at a couple of these tools in more depth next.