He's been made an offer that he can't [see: shouldn't] refuse! -- Espi
On Mon, Jan 16, 2012 at 1:08 PM, Kurt Buff <[email protected]> wrote: > Now there's an offer you don't see every day. > > On Mon, Jan 16, 2012 at 12:47, Michael B. Smith <[email protected]> > wrote: > > Happy to feature you as s guest author. > > > > Sent from my HTC Tilt™ 2, a Windows® phone from AT&T > > > > -----Original Message----- > > From: David Lum <[email protected]> > > Sent: Monday, January 16, 2012 2:38 PM > > To: NT System Admin Issues <[email protected]> > > Subject: RE: ADFS + SAML 2.0 w/ Concur = success! > > > > > > If I had a blog, I would. My internal document is far more detailed :-) > > > > Dave > > > > -----Original Message----- > > From: Webster [mailto:[email protected]] > > Sent: Monday, January 16, 2012 11:10 AM > > To: NT System Admin Issues > > Subject: RE: ADFS + SAML 2.0 w/ Concur = success! > > > > Now write that up with screen shots and you have a blog article that can > be useful to many others. > > > > > > Carl Webster > > Consultant and Citrix Technology Professional http://www.CarlWebster.com > > > >> -----Original Message----- > >> From: David Lum [mailto:[email protected]] > >> Sent: Monday, January 16, 2012 11:56 AM > >> To: NT System Admin Issues > >> Subject: ADFS + SAML 2.0 w/ Concur = success! > >> > >> As you guys know, after much gnashing on this list I was finally able > >> to get SAML working with ADFS. What took too-many hours of banging on > >> it can know be done soup-to-nuts (including building a server OS from > >> scratch - just to make sure I have the steps right) in two hours. > >> > >> There were a couple of tripping points if you are new to this kind of > thing: > >> 1. Download ADFS 2.0, the ADFS role in 2008 R2 looks different and is > >> likely > >> 1.1 and not 2.0 (Google-Fu gives me conflicting info) 2. During > >> configuration, ADFS 2.0 by default assigns self-signed "token-signing" > >> and "token- decrypting" certificates, so even if you assign an > >> appropriate 3rd party certificate for Service Communications in ADFS, > >> the other two certificates need to be manually reconfigured. This > >> requires you to turn off "automatic certificate rollover" by using a > >> PowerShell script (the PS commands are provided in the error message, > >> you'd think they could offer a little add-in "would you like this > >> change to be made?" you just click OK to). Once you run this script > >> you can then add the certificates, and then you need to assign them as > >> "primary". [1][2] 3. In ADFS there is also a step where you assign the > >> Federation Service Name, and in our case I used a wildcard cert but > >> the service name needs to be an explicit host. Whatever name is > >> assigned here (say SingleSignOn.nwea.org) an appropriate DNS entry (in > >> my case a > >> CName) needs to be assigned so the DNS resolves appropriately. > >> 4. In this particular case, I had to make sure I did NOT assign an > >> encryption certificate for the relying party 5. The secure hash > >> algorithm needs to match the vendor (SHA-1 or SHA-256). > >> > >> Other than that, it is almost straightforward, LOL. I built a 2nd > >> machine this morning from scratch - including OS install - to > >> operating SSO server in about > >> 2 hours (had to confirm/refine my "build from scratch" documentation). > >> > >> David Lum > >> Systems Engineer // NWEATM > >> Office 503.548.5229 // Cell (voice/text) 503.267.9764 > >> > >> [1] There may be a way to do this during setup in ADFS, but I didn't > >> see it as I was stepping though. > >> [2] It was this step that gave us "invalid certificate was sent to > relying party" > >> errors. > >> > >> > >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >> --- > >> To manage subscriptions click here: http://lyris.sunbelt- > >> software.com/read/my_forums/ or send an email to > >> [email protected] > >> with the body: unsubscribe ntsysadmin > >> > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < > http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
