Skip to content

configuring ADFS relying party

Jump to bottom Edit New page
Philip Durbin edited this page Dec 2, 2013 · 6 revisions

Configuring an OIOSAML service provider as an ADFS 2.0 relying party

  1. Import Service Provider (SP) metadata as ADFS Relying Party (RP). This is easy if the metadata is hosted on a https:// site.
  2. Set the signature algorithm to SHA1 in the ADFS RP advanced settings tab. (ADFS footnote 1)
  3. Remove the encryption key in ADFS RP. (Optional, to view the assertions for testing).
  4. Trust the signing certificate, if it is self-signed.
  • Open the cert from ADFS RP and import it so that Windows thinks it is valid.
    1. to the default store
    2. to the Trusted Root Certificate Authorities
    3. to the physical stores Third Party Root Certificate Authorities registry
  1. Configure ADFS RP to send assertions as such (OIOSAML footnote 2):

IssuanceTransformRules ---------------------- @RuleTemplate = "LdapClaims" @RuleName = "send assertions" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);

@RuleTemplate = "MapClaims" @RuleName = "transform" c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.Value Type, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

ADFS footnote 1: Log Name: AD FS 2.0/Admin Source: AD FS 2.0 Date: 11/13/2013 11:39:39 AM Event ID: 378 Task Category: None Level: Error Keywords: AD FS User: MEDLAB\adfs_service Computer: ITWVFSD01.medlab.harvard.edu Description: SAML request is not signed with expected signature algorithm. SAML request is signed with signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 . Expected signature algorithm is http://www.w3.org/2000/09/xmldsig#rsa-sha1

User Action: Verify that signature algorithm for the partner is configured as expected.

OIOSAML footnote 2: dk.itst.oiosaml.sp.model.validation.ValidationException: The assertion must contain a Subject/NameID at dk.itst.oiosaml.sp.model.validation.BasicAssertionValidator.validate(BasicAssertionValidator.java:49)

dk.itst.oiosaml.sp.model.validation.ValidationException: The assertion must contain exactly one AttributeStatement. Contains 0 at dk.itst.oiosaml.sp.model.validation.OIOSAMLAssertionValidator.validate(OIOSAMLAssertionValidator.java:79)

java.lang.IllegalArgumentException: Format null unknown at dk.itst.oiosaml.sp.NameIDFormat.getNameID(NameIDFormat.java:65)

On the OIOSAML SP side, with version 8501 at least, in metadata/IdP/IdPMetadata.xml under IDPSSODescriptor you much ensure that the <KeyDescriptor use="signing"> element appears first, before the <KeyDescriptor use="encryption"> element. Fro example:

murphy:.oiosaml-demo pdurbin$ pwd
/Users/pdurbin/.oiosaml-demo
murphy:.oiosaml-demo pdurbin$ vim metadata/IdP/IdPMetadata.xml 
murphy:.oiosaml-demo pdurbin$ git diff -U2 metadata/IdP/IdPMetadata.xml | cut -c-90
diff --git a/metadata/IdP/IdPMetadata.xml b/metadata/IdP/IdPMetadata.xml
index 16ceab0..d1eff6a 100644
--- a/metadata/IdP/IdPMetadata.xml
+++ b/metadata/IdP/IdPMetadata.xml
@@ -289,15 +289,15 @@
   </SPSSODescriptor>
   <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-    <KeyDescriptor use="encryption">
+    <KeyDescriptor use="signing">
       <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
         <X509Data>
-          <X509Certificate>MIIC8DCCAdigAwIBAgIQVZyljOcP3YdKJ7OMRDByNTANBgkqhkiG9w0BAQsFAD
+          <X509Certificate>MIIC6jCCAdKgAwIBAgIQE8Qt13UlyZpG478NxBPb6DANBgkqhkiG9w0BAQsFAD
         </X509Data>
       </KeyInfo>
     </KeyDescriptor>
-    <KeyDescriptor use="signing">
+    <KeyDescriptor use="encryption">
       <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
         <X509Data>
-          <X509Certificate>MIIC6jCCAdKgAwIBAgIQE8Qt13UlyZpG478NxBPb6DANBgkqhkiG9w0BAQsFAD
+          <X509Certificate>MIIC8DCCAdigAwIBAgIQVZyljOcP3YdKJ7OMRDByNTANBgkqhkiG9w0BAQsFAD
         </X509Data>
       </KeyInfo>
murphy:.oiosaml-demo pdurbin$
Add a custom footer
Add a custom sidebar
Clone this wiki locally