Now there's an offer you don't see every day.

On Mon, Jan 16, 2012 at 12:47, Michael B. Smith <[email protected]> wrote:
> Happy to feature you as s guest author.
>
> Sent from my HTC Tilt™ 2, a Windows® phone from AT&T
>
> -----Original Message-----
> From: David Lum <[email protected]>
> Sent: Monday, January 16, 2012 2:38 PM
> To: NT System Admin Issues <[email protected]>
> Subject: RE: ADFS + SAML 2.0 w/ Concur = success!
>
>
> If I had a blog, I would. My internal document is far more detailed :-)
>
> Dave
>
> -----Original Message-----
> From: Webster [mailto:[email protected]]
> Sent: Monday, January 16, 2012 11:10 AM
> To: NT System Admin Issues
> Subject: RE: ADFS + SAML 2.0 w/ Concur = success!
>
> Now write that up with screen shots and you have a blog article that can be 
> useful to many others.
>
>
> Carl Webster
> Consultant and Citrix Technology Professional http://www.CarlWebster.com
>
>> -----Original Message-----
>> From: David Lum [mailto:[email protected]]
>> Sent: Monday, January 16, 2012 11:56 AM
>> To: NT System Admin Issues
>> Subject: ADFS + SAML 2.0 w/ Concur = success!
>>
>> As you guys know, after much gnashing on this list I was finally able
>> to get SAML working with ADFS. What took too-many hours of banging on
>> it can know be done soup-to-nuts (including building a server OS from
>> scratch - just to make sure I have the steps right) in two hours.
>>
>> There were a couple of tripping points if you are new to this kind of thing:
>> 1. Download ADFS 2.0, the ADFS role in 2008 R2 looks different and is
>> likely
>> 1.1 and not 2.0 (Google-Fu gives me conflicting info) 2. During
>> configuration, ADFS 2.0 by default assigns self-signed "token-signing"
>> and "token- decrypting" certificates, so even if you assign an
>> appropriate 3rd party certificate for Service Communications in ADFS,
>> the other two certificates need to be manually reconfigured. This
>> requires you to turn off "automatic certificate rollover" by using a
>> PowerShell script (the PS commands are provided in the error message,
>> you'd think they could offer a little add-in "would you like this
>> change to be made?" you just click OK to). Once you run this script
>> you can then add the certificates, and then you need to assign them as
>> "primary". [1][2] 3. In ADFS there is also a step where you assign the
>> Federation Service Name, and in our case I used a wildcard cert but
>> the service name needs to be an explicit host. Whatever name is
>> assigned here (say SingleSignOn.nwea.org) an appropriate DNS entry (in
>> my case a
>> CName) needs to be assigned so the DNS resolves appropriately.
>> 4. In this particular case, I had to make sure I did NOT assign an
>> encryption certificate for the relying party 5. The secure hash
>> algorithm needs to match the vendor (SHA-1 or SHA-256).
>>
>> Other than that, it is almost straightforward, LOL. I built a 2nd
>> machine this morning from scratch - including OS install - to
>> operating SSO server in about
>> 2 hours (had to confirm/refine my "build from scratch" documentation).
>>
>> David Lum
>> Systems Engineer // NWEATM
>> Office 503.548.5229 // Cell (voice/text) 503.267.9764
>>
>> [1] There may be a way to do this during setup in ADFS, but I didn't
>> see it as I was stepping though.
>> [2] It was this step that gave us "invalid certificate was sent to relying 
>> party"
>> errors.
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ---
>> To manage subscriptions click here: http://lyris.sunbelt-
>> software.com/read/my_forums/ or send an email to
>> [email protected]
>> with the body: unsubscribe ntsysadmin
>>
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to [email protected]
> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to [email protected]
> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to [email protected]
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

Reply via email to