ADFS Implementation

From GFIPM Implementation Wiki
Revision as of 17:42, 27 April 2011 by Jeff.Krug (Talk | contribs)

Jump to: navigation, search

ADFS 2.0 is Microsoft's Windows Server component that enables Single Sign On. It includes sufficient support for the SAML standards so as to be compatible with GFIPM. The contents of this article are not comprehensive for deploying ADFS 2.0 as a GFIPM Identity Provider, but it does cover a few of the areas where conforming to the GFIPM Web Browser User-to-System Profile varies from ADFS 2.0's defaults.

Federation Terminology

The terminology used by Microsoft varies from the terminology used within GFIPM standards. You may want to familiarize yourself with ADFS Terminology and GFIPM Terminology before you proceed. The two biggest terminology things to be aware of is that within ADFS what it calls claims are termed attributes within GFIPM, and ADFS's Relying Parties are GFIPM Service Providers. There are many other variations as well, but these two are fundamental in recognizing.

Attribute Names

One of the core things required to implement the GFIPM Web Browser User-to-System Profile is the proper usage of the GFIPM 2.0 Metadata Standard. This attribute set requires special ADFS configuration as the default attributes/claims that ADFS uses are all Microsoft specific. This ADFS Blog Article discusses how to configure ADFS to operate with Shibboleth, and the Common Issues noted at the bottom detail how to configure ADFS to use different Attribute Names and NameFormats (both must be correct to be GFIPM Compliant).

Assertion and Response Signing

By default ADFS 2.0 does not sign both the SAML Response and SAML Assertion as part of the SSO profile. This is required by the GFIPM Web Browser User-to-System Profile. To configure ADFS to sign both you will need to use a Powershell command:

 Set-ADFSRelyingPartyTrust -TargetIdentifier <url> -Identifier <url> -SamlResponseSignature 'MessageAndAssertion'

For more details on the full capabilities of configuring ADFS via Powershell you can review the Microsoft Article AD FS 2.0 Cmdlets in Windows PowerShell.

Trust Management

By default ADFS requires certificates that it trusts to have valid CRL (Certificate Revocation List) publication URLs. This is not a GFIPM requirement and in fact is counter-intuitive to the GFIPM Cryptographic Trust Model. GFIPM anchors trust on being within the trust fabric or not, and the equivalent of a certificate revocation is handled by removal from the trust fabric. In most cases it is not practical for certificates to include CRLs since the certificates are self-signed. There is another Powershell command available to change this ADFS requirement:

 Set-ADFSRelyingPartyTrust -TargetIdentifier <url> -Identifier <url> -EncryptionCertificateRevocationCheck 'None'

To review the full details of this command review the Microsoft Documentation.

Name IDs

Frequently when initiating federated SSO it is necessary to request a specific Name ID type. GFIPM supports two Name ID types (*case sensitive*) within GFIPM Web Browser User-to-System Profile:

To specify a specific NameID type within ADFS you can use a PowerShell command:

 set-adfsClaimsProviderTrust –targetName “Claim Provider’s Name” –RequiredNameIdFormat “urn:oasis:names:tc:SAML:2.0:nameid-format:transient”