Configuring ADFS and Graph integration
By selecting ADFS as the identity provider, identities from an existing Active Directory forest are able to authenticate with resources within Azure Stack Hub. The existing Active Directory forest will need a deployment of ADFS instances to enable the creation of an ADFS federation trust.
Authentication is only one part of identity. To be able to manage RBAC in Azure Stack Hub, the Graph component must also be configured. The Graph component is used to look up the user account in the existing Active Directory forest when access to the resource is delegated. This is done using the LDAP protocol:
Figure 4.6 – The ADFS Graph topology
The existing ADFS is the account Security Token Service (STS), which sends the claims to Azure Stack Hub ADFS (that is, the resource STS). Automation in Azure Stack Hub creates the claims provider trust with the metadata endpoint for the existing ADFS.
A relying party trust must...
