How to set up simplesamlphp to use ADFS 2 as idp

StackOverflow https://stackoverflow.com/questions/7768283

Pregunta

I'm trying to get simplesamlphp 1.8 to use ADFS 2 as IdP.

Now I'm seriously stuck when getting browser NTLM authentication dialog, which does not accept any login (after selecting "Test authentication sources" -> "default-sp").

In config/config.php

'default-sp' => array(
        'saml:SP',
        'privatekey' => 'saml.pem',
        'certificate' => 'saml.crt',
        'idp' => 'http://fs.example.org/adfs/services/trust',
    ),

In metadata/saml20-idp-remote.php (Converted from https://fs.example.com/FederationMetadata/2007-06/FederationMetadata.xml with /admin/metadata-converter.php)

    $metadata['http://fs.example.com/adfs/services/trust'] = array (
  'entityid' => 'http://fs.example.com/adfs/services/trust',
  'contacts' => 
  array (
  ),
  'metadata-set' => 'saml20-idp-remote',
  'SingleSignOnService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://fs.example.com/adfs/ls/',
    ),
    1 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://fs.example.com/adfs/ls/',
    ),
  ),
  'SingleLogoutService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://fs.example.com/adfs/ls/',
    ),
    1 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://fs.example.com/adfs/ls/',
    ),
  ),
  'ArtifactResolutionService' => 
  array (
  ),
  'keys' => 
  array (
    0 => 
    array (
      'encryption' => true,
      'signing' => false,
      'type' => 'X509Certificate',
      'X509Certificate' => 'MIIC3DCCA....',
    ),
    1 => 
    array (
      'encryption' => false,
      'signing' => true,
      'type' => 'X509Certificate',
      'X509Certificate' => 'MIIC1j....',
    ),
  ),
);

In ADFS Claim Rules I have "Permit Access to All Users" and Transform rule "E-Mail-Address -> Name ID"

Any ideas how to proceed?

¿Fue útil?

Solución

Actual problem was in that while setting DNS records I created a CNAME fs.example.com to dc.exampledomain.com. After replacing CNAME record to A record authentication went through.

This did not solved whole question but answered the getting stuck part :)

I also needed to set SHA-1 as secure hash algorithm in relying party properties instead of SHA-256.

Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow
scroll top