How to connect AD FS 2.0 to Safewhere*Identify

The following article describes the process for connecting AD FS 2.0 to Safewhere*Identify. It is recommended that you read the following document before starting:

SAML2.0 Protocol

The following example is in the context that ADFS (fed.safewhere.local) is a SP for identify1 (identify1.safewhere.local) using SAML2.0 protocol.

ADFS Configuration

  1. Add a Claims Provider Using SAML2.0 Metadata URL: https://identify1.safewhere.local/runtime/saml2/metadata.idp
  2. Create some claims rules as section Claim settings
  1. Change AD FS 2.0 Signature Algorithm to use the Secure Hash Algorithm (SHA) that you want to use: right-click > Properties > On the Advanced tab, in the Secure hash algorithm list, select either SHA-1 or SHA-256 and then click OK.
  1. Using Windows Powershell to remove the Revocation Check when using self-certificates
  • add-pssnapin microsoft.adfs.powershell
  • set-ADFSClaimsProviderTrust -targetname “Claims_Provider_Name” -SigningCertificateRevocationCheck None
  • set-ADFSClaimsProviderTrust -targetname “Claims_Provider_Name” -EncryptionCertificateRevocationCheck None
  • Set-ADFSClaimsProviderTrust -targetname “Claims_Provider_Name” -SignedSamlRequestsRequired $True (This setting is used to resolve the error “Value cannot be null. Parameter name: signature” as ADFS did not sign the login message before passing through Identify)

Identify Configuration

  1. Go to Connections tab and create a SAML2.0 protocol connection, check enable
  1. Go back to the connection list, open the upload metadata form and point to https://fed.safewhere.local/FederationMetadata/2007-06/FederationMetadata.xml

WS-Federation Protocol

The following example is in the context that ADFS (fed.safewhere.local) is a SP for identify1 (identify1.safewhere.local) using WS-Federation protocol.

ADFS Configuration

  1. Add a Claims Provider Using Federation Metadata URL: https://identify1.safewhere.local/runtime/FederationMetadata/2007-06/FederationMetadata.xml
  2. Create some claims rules as section Claim settings
  • In this case, a Name pass through rule needs to be created to pass reponse from Identify Idp to Identify*Admin SP
  1. Change AD FS 2.0 Signature Algorithm to use the Secure Hash Algorithm (SHA) that you want to use: right-click > Properties > On the Advanced tab, in the Secure hash algorithm list, select either SHA-1 or SHA-256 and then click OK.
  1. Using Windows Powershell to remove the Revocation Check when using self-certificates
  • add-pssnapin microsoft.adfs.powershell
  • set-ADFSClaimsProviderTrust -targetname “Claims_Provider_Name” -SigningCertificateRevocationCheck None
  • set-ADFSClaimsProviderTrust -targetname “Claims_Provider_Name” -EncryptionCertificateRevocationCheck None

Identify Configuration

  1. Go to Connections tab and create a Federation protocol connection, check enable
  1. Go back to the connection list, open the upload metadata form and point to https://fed.safewhere.local/FederationMetadata/2007-06/FederationMetadata.xml

Claim settings

A typical set up when Identify is an IdP of AD FS 2.0 is:

SP → AD FS 2.0 → Identify

So in term of claims issuance and transformation, we have two steps:

  1. Identify → AD FS 2.0: AD FS 2.0 applies some transformation rules to the incoming claims. For example, a name passthrough rule will allow name claim from Identify to pass through to the outgoing connection.
  1. AD FS 2.0 → SP: similar to how one connects Identify to AD FS 2.0

The minimal set of transformation rules to apply to claims from Identify which works is: