From f6673e0e2254211d8cbe70218d05e202d9361f73 Mon Sep 17 00:00:00 2001 From: Kelly Gremban Date: Thu, 3 Aug 2017 14:52:42 -0700 Subject: [PATCH] proxy servers and claims aware --- ...ory-application-proxy-claims-aware-apps.md | 27 ++++++++++++------- ...cation-proxy-working-with-proxy-servers.md | 15 +++-------- 2 files changed, 22 insertions(+), 20 deletions(-) diff --git a/articles/active-directory/active-directory-application-proxy-claims-aware-apps.md b/articles/active-directory/active-directory-application-proxy-claims-aware-apps.md index 9ed27a543895b..2bbfbf17f9002 100644 --- a/articles/active-directory/active-directory-application-proxy-claims-aware-apps.md +++ b/articles/active-directory/active-directory-application-proxy-claims-aware-apps.md @@ -13,23 +13,32 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 05/03/2017 +ms.date: 08/04/2017 ms.author: kgremban --- # Working with claims aware apps in Application Proxy -Claims aware apps perform a redirection to the Security Token Service (STS), which in turn requests credentials from the user in exchange for a token before redirecting the user to the application. To enable Application Proxy to work with these redirects, the following steps need to be taken. +Claims aware apps perform a redirection to the Security Token Service (STS), which in turn requests credentials from the user in exchange for a token before redirecting the user to the application. There are a few ways to enable Application Proxy to work with these redirects. Use this article to configure your deployment for claims aware apps. ## Prerequisites -Before performing this procedure, make sure that the STS the claims aware app redirects to is available outside of your on-premises network. +Before performing this procedure, make sure that the STS the claims aware app redirects to is available outside of your on-premises network. This redirection can be done by exposing the STS through a proxy or by allowing outside connections. -## Azure classic portal configuration -1. Publish your application according to the instructions described in [Publish applications with Application Proxy](active-directory-application-proxy-publish.md). -2. In the list of applications, select the claims aware app and click **Configure**. -3. If you chose **Passthrough** as your **Preauthentication Method**, make sure to select **HTTPS** as your **External URL** scheme. -4. If you chose **Azure Active Directory** as your **Preauthentication Method**, select **None** as your **Internal Authentication Method**. +## Publish your application + +1. Publish your application according to the instructions described in [Publish applications with Application Proxy](active-directory-application-proxy-publish-azure-portal.md). +2. Navigate to the application page in the portal and select **Single sign-on**. +3. If you chose **Azure Active Directory** as your **Preauthentication Method**, select **Azure AD single sign-on disabled** as your **Internal Authentication Method**. If you chose **Passthrough** as your **Preauthentication Method**, you don't need to change anything. + +## Configure ADFS + +You can configure ADFS for claims aware apps in one of two ways. The first is by using custom domains. The second is with WS-Federation. + +### Option 1: Custom domains + +If you are able to [use custom domains](active-directory-application-proxy-custom-domains.md) for your application, and all the URLs for the applications are FQDNs, then you don't need to do any additional configuration. Ensure that your interanl and external URLs are the same for the scenario to work. + +### Option 2: WS-Federation -## ADFS configuration 1. Open ADFS Management. 2. Go to **Relying Party Trusts**, right-click on the app you are publishing with Application Proxy, and choose **Properties**. diff --git a/articles/active-directory/application-proxy-working-with-proxy-servers.md b/articles/active-directory/application-proxy-working-with-proxy-servers.md index d2cce21a3a89c..5c4780cbc8850 100644 --- a/articles/active-directory/application-proxy-working-with-proxy-servers.md +++ b/articles/active-directory/application-proxy-working-with-proxy-servers.md @@ -12,7 +12,7 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 05/22/2017 +ms.date: 08/04/2017 ms.author: kgremban --- @@ -121,14 +121,10 @@ For initial registration, allow access to the following endpoints: * login.windows.net * login.microsoftonline.com -The underlying Service Bus control channels that the connector service uses also require connectivity to specific IP addresses. Until Service Bus moves to an FQDN instead, there are two options: +If you can't allow connectivity by FQDN and need to specify IP ranges instead, use these options: * Allow the connector outbound access to all destinations. -* Allow the connector outbound access to [Azure datacenter IP ranges](https://www.microsoft.com/en-gb/download/details.aspx?id=41653). - ->[!NOTE] ->The challenge with using the list of Azure datacenter IP ranges is that it's updated weekly. You will need to put a process in place to ensure that your access rules are updated accordingly. -> +* Allow the connector outbound access to [Azure datacenter IP ranges](https://www.microsoft.com/en-gb/download/details.aspx?id=41653). The challenge with using the list of Azure datacenter IP ranges is that it's updated weekly. You will need to put a process in place to ensure that your access rules are updated accordingly. #### Proxy authentication @@ -136,13 +132,10 @@ Proxy authentication is not currently supported. Our current recommendation is t #### Proxy ports -The connector makes outbound SSL-based connections by using the CONNECT method. This method essentially sets up a tunnel through the outbound proxy. Some proxy servers, by default, allow outbound tunneling to only standard SSL ports such as 443. If this is the case, the proxy server must be configured to allow tunneling to additional ports. - -Configure the proxy server to allow tunneling to nonstandard SSL ports 8080, 9090, 9091, and 10100-10120. +The connector makes outbound SSL-based connections by using the CONNECT method. This method essentially sets up a tunnel through the outbound proxy. Configure the proxy server to allow tunneling to ports 443 and 80. >[!NOTE] >When Service Bus runs over HTTPS, it uses port 443. However, by default, Service Bus attempts direct TCP connections and falls back to HTTPS only if direct connectivity fails. -> To ensure that the Service Bus traffic is also sent through the outbound proxy server, ensure that the connector cannot directly connect to the Azure services for ports 9350, 9352, and 5671.