simpleSAMLphp as ADFS2.0 IdP for TMG

1,646 views
Skip to first unread message

Thijs Kinkhorst

unread,
Jun 30, 2011, 5:22:07 AM6/30/11
to simple...@googlegroups.com
Hi,

I was wondering if anyone had tried to use simplesSAMLphp as an Identity
Provider to MS' Threat Management Gateway / Unified Access Gateway. The end
goal is to allow our SAML-based users to log into Sharepoint (or even better:
all TMG protected applications).

As I understand it the ADFS 2.0 and SAML 2.0 protocols should be compatible.
In TMG I can add an ADFS 2.0 authentication source and it asks for Federation
Metadata in the form of an URL or XML file. When I supply our SSP's SAML2
metadata however, I get the following error:

MSIS7527: The metadata does not contain the role descriptors needed for the
entity to be configured as a relying party trust

I am not very versed in the Microsoft terminology and don't know what "role
descriptors" are or how I should get them in the metadata. Or am I approaching
this entirely the wrong way?


Thanks,
Thijs


--
Thijs Kinkhorst <th...@uvt.nl> – LIS Unix

Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres > Warandelaan 2 • Tel. 013 466 3035 • G 236 • http://www.uvt.nl

signature.asc

Tom Scavo

unread,
Jun 30, 2011, 8:30:30 AM6/30/11
to simple...@googlegroups.com
On Thu, Jun 30, 2011 at 5:22 AM, Thijs Kinkhorst <th...@uvt.nl> wrote:
>
> MSIS7527: The metadata does not contain the role descriptors needed for the
> entity to be configured as a relying party trust
>
> I am not very versed in the Microsoft terminology and don't know what "role
> descriptors" are or how I should get them in the metadata. Or am I approaching
> this entirely the wrong way?

The term "role descriptor" is not MS specific, it is a term that
refers to a node in SAML metadata. Two important role descriptors are
<md:IDPSSODescriptor> and <md:SPSSODescriptor>, which of course
contain metadata for an IdP and SP, respectively. For example, if you
are setting up AD FS 2.0 as an SP, it will be looking for an
<md:IDPSSODescriptor> element (or perhaps an abstract
<md:RoleDescriptor> element with type md:IDPSSODescriptorType).

AD FS 2.0 supports other protocols besides SAML V2.0 so it will
process a variety of concrete instances of the abstract
<md:RoleDescriptor> element. In particular, it supports WS-Federation,
which relies on a custom role descriptor (defined outside the SAML
metadata spec). Are you sure your AD FS 2.0 is configured for SAML
V2.0 and not WS-Fed?

Generally speaking, AD FS 2.0 is brain dead when it comes to SAML
metadata. At least that used to be the case when I looked at it
earlier:

https://docs.google.com/Doc?docid=0AZzfN_vJA7cvZGhzMmQ1d3FfNDNkd2ZiazNnNA&hl=en_US&authkey=CNySlZcI

I'd be interested in hearing if AD FS 2.0 has changed in this regard.
I'd be grateful if you would report back what you find out.

Thanks,
Tom

Olav Morken

unread,
Feb 6, 2013, 2:38:30 AM2/6/13
to simple...@googlegroups.com
On Tue, Feb 05, 2013 at 07:40:04 -0800, Matthieu Bissat wrote:
> Hi,
>
> I just received the error "MSIS7527: The metadata does not contain the role
> descriptors..." and found this post while googling.
>
> My problem is that the metadata file retrieved from SSP only contains a
> <md:IDPSSODescriptor> element. It does NOT contain a <md:SPSSODescriptor>
> element.

It looks like you attempted to add your SSP IdP metadata to the ADFS
IdP instead of your SSP SP metadata. I assume that you don't get this
error if you pick your SP metadata instead?

Best regards,
Olav Morken
UNINETT / Feide
Reply all
Reply to author
Forward
0 new messages