Skip to content

configuring ADFS relying party

Jump to bottom Edit New page
jeffreyparker1 edited this page Nov 15, 2013 · 6 revisions

Configuring an OIOSAML service provider as an ADFS 2.0 relying party

  1. Import SP metadata as ADFS Relying Party. This is easy if the metadata is hosted on a https:// site.
  2. Set the signature algorithm to SHA1 in the ADFS RP. (ADFS footnote 1)
  3. Delete the encryption key in ADFS RP. (Optional, to view the assertions for testing).
  4. Trust the signing certificate, if it is self-signed.
  • Open the cert from ADFS MMC and import it so that Windows thinks it is valid.
    1. to the default store
    2. to the Trusted Root Certificate Authorities
    3. to the physical stores Third Party Root Certificate Authorities registry
  1. Configure ADFS RP to send assertions as such (OIOSAML footnote 2):

IssuanceTransformRules ---------------------- @RuleTemplate = "LdapClaims" @RuleName = "send assertions" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);

@RuleTemplate = "MapClaims" @RuleName = "transform" c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.Value Type, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

ADFS footnote 1: Log Name: AD FS 2.0/Admin Source: AD FS 2.0 Date: 11/13/2013 11:39:39 AM Event ID: 378 Task Category: None Level: Error Keywords: AD FS User: MEDLAB\adfs_service Computer: ITWVFSD01.medlab.harvard.edu Description: SAML request is not signed with expected signature algorithm. SAML request is signed with signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 . Expected signature algorithm is http://www.w3.org/2000/09/xmldsig#rsa-sha1

User Action: Verify that signature algorithm for the partner is configured as expected.

OIOSAML footnote 2: dk.itst.oiosaml.sp.model.validation.ValidationException: The assertion must contain a Subject/NameID at dk.itst.oiosaml.sp.model.validation.BasicAssertionValidator.validate(BasicAssertionValidator.java:49)

dk.itst.oiosaml.sp.model.validation.ValidationException: The assertion must contain exactly one AttributeStatement. Contains 0 at dk.itst.oiosaml.sp.model.validation.OIOSAMLAssertionValidator.validate(OIOSAMLAssertionValidator.java:79)

java.lang.IllegalArgumentException: Format null unknown at dk.itst.oiosaml.sp.NameIDFormat.getNameID(NameIDFormat.java:65)

Add a custom footer
Add a custom sidebar
Clone this wiki locally