ADFS as IdP

[Dan Murphy]

Anyone have a GOOD walk thru how to configure simplesamlphp to accept
ADFS as IdP to simplesamlphp as SP?

[JDS]

Bump! "me too"

I manage a SSP-based SP and I have a customer with ADFS IdP. What is the state of this sort of setup? Will this work?

We've tried a lot of things but have had no success. Is there any documentation on this? Or examples?

THANKS!

[Steve Moitozo II]

I have done this a couple of times. In fact, today I just finished configuring a SimpleSAMLphp SP to interop with an ADFS IdP at a client site.

Probably the trickiest part of this was helping the client configure ADFS to include NameID in the SAML assertion.

The initial symptom was an error about InvalidNameIDPolicy coming from ADFS. Adding the following to authsources.php got us moving ahead.

'NameIDPolicy' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',

After that the error changed to the SP complaining about a missing NameID attribute, which revealed that ADFS was not configured to include it in the SAML assertion. Once we configured ADFS to include NameID in assertions it was pretty straight forward after that.

Have a look at "NameID Policy could not be satisfied." <http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/ea5efcff-4221-4af1-b434-4be5245cb0fa> The original poster describes exactly what we were dealing with and Mieszko Matkowski's answer provided a solution.

If you want ADFS to send a transient NameID do this:

First create transient user identifier by adding advance rule.
For example:

c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] &&
c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"]
 => add(
       store = "_OpaqueIdStore",
       types = ("http://mycompany/internal/sessionid"),
       query = "{0};{1};{2};{3};{4}",
       param = "useEntropy",
       param = c1.Value,
       param = c1.OriginalIssuer,
       param = "",
       param = c2.Value);

Then add create claim transformation rule:
    1. Incoming claim type is "http://mycompany/internal/sessionid"
    2. Outgoing claim type is "Name ID"
    3. Outgoing name ID format is Transient Identifier

If you want ADFS to send e-mail as NameID do this:

First add an advanced rule:

@RuleTemplate="LdapClaims"

@RuleName="Send E-mail as Name ID"

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
    Issuer == "AD AUTHORITY"] => issue(
    store = "Active Directory",
    types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"),
    query = ";mail;{0}",
    param = c.Value);

Then add create claim transformation rule:

    1. Incoming claim type is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"

    2. Outgoing claim type is "Name ID"

    3. Outgoing name ID format is Email

Hope that helps.


P.S. I'm writing a book on Identity Integrations with SimpleSAMLphp <http://www.moitozo.com/s2/books/simplesamlphp/>.

On 08/23/2012 04:46 PM, Gideon Jones wrote:

Me as well! I'm new to SAML but this is what I am currently trying to achieve, access to a customers ADFS IdP. Any ideas much appreciated.

On Wednesday, August 22, 2012 2:03:24 PM UTC-7, JDS wrote:

[Tom Scavo]

On Fri, Aug 24, 2012 at 1:48 PM, Steve Moitozo II <steve_...@sil.org> wrote:
>
> The initial symptom was an error about InvalidNameIDPolicy coming from ADFS.
> Adding the following to authsources.php got us moving ahead.
>
> 'NameIDPolicy' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'

That doesn't make any sense since NameIDPolicy is optional and
defaults to that value (essentially). Could it be that the above
configuration causes a NameIDPolicy element with AllowCreate="true" to
be added to the AuthnRequest, whereas previously it was not? That
would cause an error at the IdP, yes.

> P.S. I'm writing a book on Identity Integrations with SimpleSAMLphp
> <http://www.moitozo.com/s2/books/simplesamlphp/>.

Neat! Where's the chapter on metadata? ;-)

Cheers,
Tom