The following article describes the process for connecting Safewhere*Identify to AD FS 2.0. It is recommended that you read the following document before starting:
- Saml2Wif installation guideline (http://help5-1.safewhere.com/installing-saml-2-0-for-wif/). Please take special notice on all the powershell information in this document.
- Microsoft’s AD FS 2.0 installation guideline.
Saml2 protocol: connections
The following example is in the context thatidentify1 (identify1.safewhere.local) is a RP for ADFS (fed.safewhere.local) using Saml2 protocol.
ADFS Configuration
-
Using ADFS Management create a Relying Party Trust: Add a Relying Party Trust Using Saml2 Metadata URL: https://identify1.safewhere.local/runtime/saml2auth/metadata.idp
-
Create some claims rules as section Claim settings
-
Change AD FS 2.0 Signature Algorithm to use the Secure Hash Algorithm (SHA) that you want to use: right-click > Properties > On the Advanced tab, in the Secure hash algorithm list, select either SHA-1 or SHA-256 and then click OK.
-
Using Windows Powershell to remove the Revocation Check when using self-certificates
-
add-pssnapin microsoft.adfs.powershell
-
set-ADFSrelyingpartytrust -targetname “RP_Name” -SigningCertificateRevocationCheck None
-
set-ADFSrelyingpartytrust -targetname “RP_Name” -EncryptionCertificateRevocationCheck None
-
set-ADFSrelyingpartytrust -targetname “RP_Name” -SignedSamlRequestsRequired $True
-
Identify Configuration
-
Go to Connections tab and create a Saml2 authn connection:
-
check Enable
-
check Do not map logins to user store
-
Select an Identity-bearing name and save.
- Select the SHA mode according to the one you chose on ADFS.
-
-
Go back to the connection list, open the upload metadata form and point to https://fed.safewhere.local/FederationMetadata/2007-06/federationmetadata.xml
WS-Federation protocol: connections
The following example is in the context that identify1 (identify1.safewhere.local) is a RP for ADFS (fed.safewhere.local) using WS-Fed protocol.
ADFS Configuration
-
Using ADFS Management create a Relying Party Trust: Add a Relying Party Trust Using WS-Fed Metadata URL: https://identify1.safewhere.local/runtime/wsfedauth/metadata.idp
-
Create some claims rules as section Claim settings
-
Change AD FS 2.0 Signature Algorithm to use the Secure Hash Algorithm 1 (SHA-1): right-click > Properties > On the Advanced tab, in the Secure hash algorithm list, select SHA-1,and then click OK.
-
Using Windows Powershell to remove the Revocation Check when using self-certificates
-
add-pssnapin microsoft.adfs.powershell
-
set-ADFSrelyingpartytrust -targetname “RP_Name” -SigningCertificateRevocationCheck None
-
set-ADFSrelyingpartytrust -targetname “RP_Name” -EncryptionCertificateRevocationCheck None
-
Identify Configuration
-
Go to Connections tab and create a WS-Fed authn connection, check enable, select an Identity-bearing name and save.
-
Go back to the connection list, open the upload metadata form and point to https://fed.safewhere.local/FederationMetadata/2007-06
-
Resolve issue “A potentially dangerous Request.Form value was detected from the client (wresult=”<t:RequestSecurityTo…”).” with .NET 4.0
-
Add: <httpRuntime requestValidationMode=“2.0”/>before tag <pages…/>
-
Add param validateRequest=“false” in tag <pages…/>
-
Claim settings
The following is a minimal set of claims which AD FS 2.0 needs to issue to Identify-RP. They include, notice the rule template of each claim rule: