It was a very informative tutorial, thanks a lot. Few things I am highlighting: 1. Very good communication (clear, concise and grammatically correct). 2. Deck animation is very good. 3. Not in hurry to blabber more n more information in less time. 4. Contents and lab demos are awesome. 5. Before starting a new video, you give a recap of previous videos which kinda help me in recollecting what I learnt in previous videos.
Hello Sir, Hope this message finds you well. Thank you for your kind help and support. All the training videos are too good for us and help us in work.
We would request you to please provide us with "Active Directory Certificate Services" playlist as it was promised by you on your one of the training videos. If possible, please provide us with that playlist. Thank you. May God Always Bless you.
You seem to be going faster and faster in your speech and mouse movements. Please slow down to your original speed sir. Overall this is very well presented, clear and consise.
Will we still need 2 ADFS servers if there is a forest level trust configured between the domains? Will my ADFS1 can query user object from second domain then or still it should go via app-adfs1-adfs2-ad2 ?
What's the role of token encryption certificate here. I understand that this certificate is needed if u have claim provider as ADFS, then the token which send by account partner claim provider trust is encrypted by private key of token encryption cert and using the public key of same cert its decryption by other adfs before sending it to application.
hello concepts work .the series was very use full I there any way that we can download the presentation? great work...explanation of each terminology and concepts are from ground level any one without any computers background can understand very easily keep the good work @concepts work
Hi, thanks for the video. at the end of th video you have added claims in claim provider trust by copying query from AD. can we add claim by adding attibute like we did at the time of configuration of RP..
thank you for your clear video. Is it possible to use non active directory and ADFS for authentication ? I want to login to my dynamics CRM on-premises but users are in another Identity Server. can you help me with configuring this ?
I really appreciate your help, I was looking for ADFS explanation, I trust will not find something more clear and to the point like this series I have a question if you allow me to ask, could you please explain the use of each of the following certificates 1) Service communications 2) Token-decrypting 3) Token-signing And which one is used in each step of accessing the Application starting from hitting the Application URL until accessing is permitted?
No there is nothing wrong, in both the scenarions the claim rules are created for different entities. At 17:24 the rule is created for relying party, where later the rule is created at claim provider trust. The rule created at the end will inforce the query of claims in the token.
Hello, Thank you again for the videos on ADFS concepts. I have browsed through all the videos you have uploaded, unable to find video on "Claims Language". Request you to create a video on it, "Expect for Send LDap and Custom claims" i have not understood what other kinds of claim rule templates do. If not a video, please point me toward any public documents which can help me understand the claims rules properly. Thank you.
Great Job Bro. The Best thing about this Series is its Simplicity. However I do have a Question. Is this video true for only On-Prem Applications? because I am guessing if there is an app which is publicly available, we shouldn't be doing Redirects from One ADFS to another. It should just be adding the Federation.xml of Identity Cloud in the application so that it could directly redirect the Auth Request to ADFS of Identity cloud. PS: Correct Me if I am wrong.
Completely agreed with you. It all depends upon the authentication flow, that you want to achieve. Some organization develop applications and then provide it as a service, where in there own application is protected by ADFS. This can lead to multiple use cases, likewise for every customer, application must have a different instance. The core agenda for this video was to showcase, how the authentication process is executed between two ADFS servers. Feel free to reach us, for any other query. Thanks..!!
@@ConceptsWork I love your videos and I spend most of my study times with your videos. Just to reiterate Aqib Munshi's point for this Account & resource organization scenario, cant this be achieved by adding the Federation.xml of Identity Cloud in the application and then adding a RP trust at Identity cloud ADFS ? So that it could directly redirect the Auth Request to ADFS of Identity cloud as usual?
Nice Content! How to limit the set of users from account forest to access the application at application level? In that case do we need to create matching guest identities in the Resource AD or at application DB?
We can create a custom claim rule in ADFS, which will check the DN of the user with the maching domain name and only allow access for a specific domain. Like users exists only in contoso.com should be able to access a particlar application.
I have an doudt about ADFS role,in the organisation maintain differ application and each application have different url, how three or more applications urls will be manage with single ADFS server.
would like to ask about ADFS. We have an ADFS 3.0 server that connects to office 365. I have other apps now that I need to federate. I would like to know can I use the same ADFS server to federate these other applications or do you have to have a separate server for each application. I would assume you can use a single server however most documentation only talks about single app senarios
I have a query w.r.t CPT Domain 1 Domain 2 ADFS 1 ADFS 2 User1 App is hosting in domain 2 so when user 1 needs to access APP2 we need to add ADFS 1 as CPT in ADFS2 as we need APP ADFS2 to contact ADFS1 then ADFS1 contacts its AD to issue the token and sent to application. so in this case we need to add APP2 as Relying Party in ADFS1 When we are configuring CPT , we need to add ADFS as CPT in Domain 2 and App as RPT in domain 1 It is always combo of RPT +CPT is my understanding correct
No. ADFS2 will be the relying party in ADFS 1. App will sent auth request to ADFS 2--> ADFS2 will route the request to ADFS 1 --> ADFS1 will contact AD --> ADFS 1 will provide a token to ADFS 2 --> Which will be consumed by ADFS 2 --> and a new token will be provided to App.(which will be genrated by ADFS 2)
Hi, FIrst of all thank you for this tutorial but I am not able to sign into IDPinitiated sing on page. Checked all services are running. DNS service is up and running. Can you please help how can I remediate this?
First of all thank you so much for this videos series, I am following the same configuration in home lab ,but while adding a Claim provider trusts through the .XML file , I am getting the error " An error occurred during an attempt to read the federation metadata. Verify that the specific URL or host name is a valid federation metadata endpoint. Please suggest. Thanks in advance
@@ConceptsWork do I need to create the forest trust in both domain or need to configure dns forworder? Actually it should not be if we are configured Adfs ...
nice vedio i have been following this adfs series when i triedthe demo i getting error when i tried to connect adfs.identityclouds.com from adfs.conceptwork.com , .when i try to click identity cloud signon it showing this site cant be reached identity cloud.com server ip address could not be found could yu please assist me any thing need to configure.awaiting for your reply
It was a very informative tutorial, thanks a lot.
Few things I am highlighting:
1. Very good communication (clear, concise and grammatically correct).
2. Deck animation is very good.
3. Not in hurry to blabber more n more information in less time.
4. Contents and lab demos are awesome.
5. Before starting a new video, you give a recap of previous videos which kinda help me in recollecting what I learnt in previous videos.
yes you are right... in short simply awesome..
I really appreciate how you teach: speaking slow and repeating work flows. Super helpful!
Glad it was helpful!
Your videos saved me in 2017, now in 2024 they saved me again. Thank you so much!
Amazing series and you are a great teacher. Helped me understand the AD FS concepts quickly.
This channel deserves audience
Glad you think so!
Hello Sir,
Hope this message finds you well.
Thank you for your kind help and support. All the training videos are too good for us and help us in work.
We would request you to please provide us with "Active Directory Certificate Services" playlist as it was promised by you on your one of the training videos.
If possible, please provide us with that playlist.
Thank you.
May God Always Bless you.
Thank you sahil for watching our content, ADCS is parked for now, we are completely focused now on security products of Microsoft.
Awesome video!! Are you going to do the Authorization rules video soon?? thanks !!
Clearly explained, pls make videos on ADCS
You seem to be going faster and faster in your speech and mouse movements. Please slow down to your original speed sir. Overall this is very well presented, clear and consise.
Will focus now on our new videos, thank you for the feedback..!
Much Appreciated.
Great explanation, I would like to confirm here is there any trust configured already between both the domain.
No there is no trust between both the Active Directory.
Will we still need 2 ADFS servers if there is a forest level trust configured between the domains? Will my ADFS1 can query user object from second domain then or still it should go via app-adfs1-adfs2-ad2 ?
What's the role of token encryption certificate here. I understand that this certificate is needed if u have claim provider as ADFS, then the token which send by account partner claim provider trust is encrypted by private key of token encryption cert and using the public key of same cert its decryption by other adfs before sending it to application.
Hi I need your help to setup OAuth + ADFS, we are not getting claims
hello concepts work .the series was very use full
I there any way that we can download the presentation?
great work...explanation of each terminology and concepts are from ground level
any one without any computers background can understand very easily
keep the good work @concepts work
thanks dear for such video it's great content
Hi, thanks for the video. at the end of th video you have added claims in claim provider trust by copying query from AD. can we add claim by adding attibute like we did at the time of configuration of RP..
Nice job, sir!
thank you for your clear video.
Is it possible to use non active directory and ADFS for authentication ?
I want to login to my dynamics CRM on-premises but users are in another Identity Server.
can you help me with configuring this ?
Very clear explanation and helpful content. Gracias y saludos!
Glad it was helpful!
Great video. Very clear explanations. Thank you very much for your posts!!!
Glad it was helpful!
I really appreciate your help, I was looking for ADFS explanation, I trust will not find something more clear and to the point like this series
I have a question if you allow me to ask, could you please explain the use of each of the following certificates
1) Service communications
2) Token-decrypting
3) Token-signing
And which one is used in each step of accessing the Application starting from hitting the Application URL until accessing is permitted?
There is a dedicated video explaining the purpose of each cert in this playlist itself.
@@ConceptsWork
I studied all the playlist, which one please, and thanks for replaying
17:24 why did you select the Send LDAP attribute as claims and later edited it using the claims language, Is this done incorrectly ?
No there is nothing wrong, in both the scenarions the claim rules are created for different entities. At 17:24 the rule is created for relying party, where later the rule is created at claim provider trust.
The rule created at the end will inforce the query of claims in the token.
@@ConceptsWork I'll check again
Hello,
Thank you again for the videos on ADFS concepts.
I have browsed through all the videos you have uploaded, unable to find video on "Claims Language".
Request you to create a video on it, "Expect for Send LDap and Custom claims" i have not understood what other kinds of claim rule templates do.
If not a video, please point me toward any public documents which can help me understand the claims rules properly.
Thank you.
Will upload soon
Great Job Bro. The Best thing about this Series is its Simplicity. However I do have a Question.
Is this video true for only On-Prem Applications? because I am guessing if there is an app which is publicly available, we shouldn't be doing Redirects from One ADFS to another. It should just be adding the Federation.xml of Identity Cloud in the application so that it could directly redirect the Auth Request to ADFS of Identity cloud.
PS: Correct Me if I am wrong.
Completely agreed with you.
It all depends upon the authentication flow, that you want to achieve.
Some organization develop applications and then provide it as a service, where in there own application is protected by ADFS.
This can lead to multiple use cases, likewise for every customer, application must have a different instance.
The core agenda for this video was to showcase, how the authentication process is executed between two ADFS servers.
Feel free to reach us, for any other query.
Thanks..!!
@@ConceptsWork I love your videos and I spend most of my study times with your videos. Just to reiterate Aqib Munshi's point for this Account & resource organization scenario, cant this be achieved by adding the Federation.xml of Identity Cloud in the application and then adding a RP trust at Identity cloud ADFS ? So that it could directly redirect the Auth Request to ADFS of Identity cloud as usual?
Awesome sir..
Awesome Video
Nice Content! How to limit the set of users from account forest to access the application at application level? In that case do we need to create matching guest identities in the Resource AD or at application DB?
We can create a custom claim rule in ADFS, which will check the DN of the user with the maching domain name and only allow access for a specific domain.
Like users exists only in contoso.com should be able to access a particlar application.
I have an doudt about ADFS role,in the organisation maintain differ application and each application have different url, how three or more applications urls will be manage with single ADFS server.
Please explain if my question is wrong
ADFS is not managing any application URL. Please elaborate your exact doubt.
would like to ask about ADFS. We have an ADFS 3.0 server that connects to office 365. I have other apps now that I need to federate. I would like to know can I use the same ADFS server to federate these other applications or do you have to have a separate server for each application. I would assume you can use a single server however most documentation only talks about single app senarios
Hi sir
I have a query w.r.t CPT
Domain 1 Domain 2
ADFS 1 ADFS 2
User1 App is hosting in domain 2
so when user 1 needs to access APP2 we need to add ADFS 1 as CPT in ADFS2 as we need APP ADFS2 to contact ADFS1 then ADFS1 contacts its AD to issue the token and sent to application.
so in this case we need to add APP2 as Relying Party in ADFS1
When we are configuring CPT , we need to add ADFS as CPT in Domain 2 and App as RPT in domain 1
It is always combo of RPT +CPT
is my understanding correct
No.
ADFS2 will be the relying party in ADFS 1.
App will sent auth request to ADFS 2--> ADFS2 will route the request to ADFS 1 --> ADFS1 will contact AD --> ADFS 1 will provide a token to ADFS 2 --> Which will be consumed by ADFS 2 --> and a new token will be provided to App.(which will be genrated by ADFS 2)
Hi, FIrst of all thank you for this tutorial but I am not able to sign into IDPinitiated sing on page. Checked all services are running. DNS service is up and running. Can you please help how can I remediate this?
If you are using 2016 or above please check from get-adfsproperties if idp initiated sign on is enabled.
learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-initiatedsignon#enable-the-idp-initiated-sign-on-page
good job
Great Thanks!!! a lot.
First of all thank you so much for this videos series,
I am following the same configuration in home lab ,but while adding a Claim provider trusts through the .XML file , I am getting the error " An error occurred during an attempt to read the federation metadata. Verify that the specific URL or host name is a valid federation metadata endpoint.
Please suggest.
Thanks in advance
Your machine should be able to access the link, try accessing the link from the browser and see, if it works or not.
@@ConceptsWork Yes, that is accessible.
@@ConceptsWork do I need to create the forest trust in both domain or need to configure dns forworder? Actually it should not be if we are configured Adfs ...
DNS forwarder is not required if you can access the federation metadata. Try manually populating the details.
@@ConceptsWork Kudos, it's worked perfectly , thanks a lot 🤝☺️
very very good!
Great videos, what is your twitter handle?
its not working it says cant find the page,Please help
what is not working ?
nice vedio i have been following this adfs series when i triedthe demo i getting error when i tried to connect adfs.identityclouds.com from adfs.conceptwork.com , .when i try to click identity cloud signon it showing this site cant be reached identity cloud.com server ip address could not be found could yu please assist me any thing need to configure.awaiting for your reply
You have to make sure, both the server can resolve each other, if you are not able to reach one it can be DNS issue.
@@ConceptsWork thanks for the info, i solved the issue. Thanks for your quick reply
Hi sir I am waiting for your valuable reply