The following article describes the process for connecting AD FS 2.0 to Safewhere*Identify. It is recommended that you read the following document before starting:

• Saml2Wif installation guideline (https://docs.google.com/document/d/1y5D0x4UNSAwxRP_9BBEUnhfBG7PDfX-t3AW4cvWcCIA/edit ). Please take special notice on all the powershell information in this document.
• Microsoft’s AD FS 2.0 installation guideline.

Saml2 Protocol Connections

The following example is in the context that ADFS (fed.safewhere.local) is a RP for identify1 (identify1.safewhere.local) using Saml2 protocol.

ADFS Configuration

1. Add a Claims Provider Using Saml2 Metadata URL: https://identify1.safewhere.local/runtime/saml2/metadata.idp
2. Create some claims rules as section Claim settings

3. Change AD FS 2.0 Signature Algorithm to use the Secure Hash Algorithm 1 (SHA-1): right-click > Properties > On the Advanced tab, in the Secure hash algorithm list, select SHA-1,and then click OK.

4. Using Windows Powershell to remove the Revocation Check when using self-certificates

• add-pssnapin microsoft.adfs.powershell
• set-ADFSClaimsProviderTrust -targetname “Claims_Provider_Name” -SigningCertificateRevocationCheck None
• set-ADFSClaimsProviderTrust -targetname “Claims_Provider_Name” -EncryptionCertificateRevocationCheck None
• Set-ADFSClaimsProviderTrust -targetname “Claims_Provider_Name” -SignedSamlRequestsRequired $True (This setting is used to resolve the error “Value cannot be null. Parameter name: signature” as ADFS did not sign the login message before passing through Identify)

Identify Configuration

1. Go to Connections tab and create a Saml2 protocol connection, check enable

2. Go back to the connection list, open the upload metadata form and point to https://fed.safewhere.local/FederationMetadata/2007-06/FederationMetadata.xml
3. Then, we need to modify some fields in other to work with ADFS (they were considered as issues and will be fixed later – we just do some workaround to make this scenario work) – Go back to the connection list, select the Salm2 connection to edit

• Subject confirmation data recipient:* edit to https://fed.safewhere.local/adfs/ls/ instead of http://fed.safewhere.local/adfs/services/trust
• Enable Set response’s issuer

WS-Federation Protocol Connections

The following example is in the context that ADFS (fed.safewhere.local) is a RP for identify1 (identify1.safewhere.local) using WS Federation protocol.

ADFS Configuration

1. Add a Claims Provider Using Federation Metadata URL: https://identify1.safewhere.local/runtime/FederationMetadata/2007-06/FederationMetadata.xml
2. Create some claims rules as section Claim settings

• In this case, a Name pass through rule needs to be created to pass reponse from Identify Idp to Identify*Admin SP

3. Change AD FS 2.0 Signature Algorithm to use the Secure Hash Algorithm 1 (SHA-1): right-click > Properties > On the Advanced tab, in the Secure hash algorithm list, select SHA-1,and then click OK.

4. Using Windows Powershell to remove the Revocation Check when using self-certificates

• add-pssnapin microsoft.adfs.powershell
• set-ADFSClaimsProviderTrust -targetname “Claims_Provider_Name” -SigningCertificateRevocationCheck None
• set-ADFSClaimsProviderTrust -targetname “Claims_Provider_Name” -EncryptionCertificateRevocationCheck None

Identify Configuration

1. Go to Connections tab and create a Federation protocol connection, check enable

2. Go back to the connection list, open the upload metadata form and point to https://fed.safewhere.local/FederationMetadata/2007-06/FederationMetadata.xml

Claim settings

A typical set up when Identify is an IdP of AD FS 2.0 is:

SP → AD FS 2.0 → Identify

So in term of claims issuance and transformation, we have two steps:

1. Identify → AD FS 2.0: AD FS 2.0 applies some transformation rules to the incoming claims. For example, a name passthrough rule will allow name claim from Identify to pass through to the outgoing connection.

2. AD FS 2.0 → SP: similar to how one connects Identify to AD FS 2.0

The minimal set of transformation rules to apply to claims from Identify which works is:

Troubleshooting

1) You get the error like the image below:

and the exception in ADFS event viewer is:

Solution: Please check the protocol that you are using for “Subject confirmation data recipient in” in Saml2 Protocol Connections setting. Make sure it is https, NOT http.