As you guys know, after much gnashing on this list I was finally able to get SAML working with ADFS. What took too-many hours of banging on it can know be done soup-to-nuts (including building a server OS from scratch - just to make sure I have the steps right) in two hours.
There were a couple of tripping points if you are new to this kind of thing: 1. Download ADFS 2.0, the ADFS role in 2008 R2 looks different and is likely 1.1 and not 2.0 (Google-Fu gives me conflicting info) 2. During configuration, ADFS 2.0 by default assigns self-signed "token-signing" and "token-decrypting" certificates, so even if you assign an appropriate 3rd party certificate for Service Communications in ADFS, the other two certificates need to be manually reconfigured. This requires you to turn off "automatic certificate rollover" by using a PowerShell script (the PS commands are provided in the error message, you'd think they could offer a little add-in "would you like this change to be made?" you just click OK to). Once you run this script you can then add the certificates, and then you need to assign them as "primary". [1][2] 3. In ADFS there is also a step where you assign the Federation Service Name, and in our case I used a wildcard cert but the service name needs to be an explicit host. Whatever name is assigned here (say SingleSignOn.nwea.org) an appropriate DNS entry (in my case a CName) needs to be assigned so the DNS resolves appropriately. 4. In this particular case, I had to make sure I did NOT assign an encryption certificate for the relying party 5. The secure hash algorithm needs to match the vendor (SHA-1 or SHA-256). Other than that, it is almost straightforward, LOL. I built a 2nd machine this morning from scratch - including OS install - to operating SSO server in about 2 hours (had to confirm/refine my "build from scratch" documentation). David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 [1] There may be a way to do this during setup in ADFS, but I didn't see it as I was stepping though. [2] It was this step that gave us "invalid certificate was sent to relying party" errors. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
