Now write that up with screen shots and you have a blog article that can be useful to many others.
Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com > -----Original Message----- > From: David Lum [mailto:[email protected]] > Sent: Monday, January 16, 2012 11:56 AM > To: NT System Admin Issues > Subject: ADFS + SAML 2.0 w/ Concur = success! > > As you guys know, after much gnashing on this list I was finally able to get > SAML working with ADFS. What took too-many hours of banging on it can > know be done soup-to-nuts (including building a server OS from scratch - > just to make sure I have the steps right) in two hours. > > There were a couple of tripping points if you are new to this kind of thing: > 1. Download ADFS 2.0, the ADFS role in 2008 R2 looks different and is likely > 1.1 and not 2.0 (Google-Fu gives me conflicting info) 2. During configuration, > ADFS 2.0 by default assigns self-signed "token-signing" and "token- > decrypting" certificates, so even if you assign an appropriate 3rd party > certificate for Service Communications in ADFS, the other two certificates > need to be manually reconfigured. This requires you to turn off "automatic > certificate rollover" by using a PowerShell script (the PS commands are > provided in the error message, you'd think they could offer a little add-in > "would you like this change to be made?" you just click OK to). Once you run > this script you can then add the certificates, and then you need to assign > them as "primary". [1][2] 3. In ADFS there is also a step where you assign the > Federation Service Name, and in our case I used a wildcard cert but the > service name needs to be an explicit host. Whatever name is assigned here > (say SingleSignOn.nwea.org) an appropriate DNS entry (in my case a > CName) needs to be assigned so the DNS resolves appropriately. > 4. In this particular case, I had to make sure I did NOT assign an encryption > certificate for the relying party 5. The secure hash algorithm needs to match > the vendor (SHA-1 or SHA-256). > > Other than that, it is almost straightforward, LOL. I built a 2nd machine this > morning from scratch - including OS install - to operating SSO server in about > 2 hours (had to confirm/refine my "build from scratch" documentation). > > David Lum > Systems Engineer // NWEATM > Office 503.548.5229 // Cell (voice/text) 503.267.9764 > > [1] There may be a way to do this during setup in ADFS, but I didn't see it > as I > was stepping though. > [2] It was this step that gave us "invalid certificate was sent to relying > party" > errors. > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt- > software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
