ADFS Implementation

From GFIPM Implementation Wiki
Jump to: navigation, search
Main Page


ADFS 2.0 is Microsoft's Windows Server component that enables Single Sign On. It includes sufficient support for the SAML standards so as to be compatible with GFIPM. The contents of this article are not comprehensive for deploying ADFS 2.0 as a GFIPM Identity Provider, but it does cover a few of the areas where conforming to the GFIPM Web Browser User-to-System Profile varies from ADFS 2.0's defaults.

Federation Terminology

The terminology used by Microsoft varies from the terminology used within GFIPM standards. You should become familiar with ADFS Terminology and GFIPM Terminology before you proceed. The two most important terminology conflicts are the following:

ADFS Term GFIPM Term
claims attributes
Relying Parties Service Providers

Attribute Names

One of the core things required to implement the GFIPM Web Browser User-to-System Profile is the proper usage of the GFIPM 2.0 Metadata Standard. This attribute set requires special ADFS configuration as the default attributes/claims that ADFS uses are all Microsoft specific. This ADFS Blog Article discusses how to configure ADFS to operate with Shibboleth, and the Common Issues noted at the bottom detail how to configure ADFS to use different Attribute Names and NameFormats (both must be correct to be GFIPM Compliant).

Assertion and Response Signing

By default ADFS 2.0 does not sign both the SAML Response and SAML Assertion as part of the SSO profile. This is required by the GFIPM Web Browser User-to-System Profile. To configure ADFS to sign both you will need to use a Powershell command:

 Set-ADFSRelyingPartyTrust -TargetIdentifier <url> -Identifier <url> -SamlResponseSignature 'MessageAndAssertion'

For more details on the full capabilities of configuring ADFS via Powershell you can review the Microsoft Article AD FS 2.0 Cmdlets in Windows PowerShell.

Trust Management

By default ADFS requires certificates that it trusts to have valid CRL (Certificate Revocation List) publication URLs. This is not a GFIPM requirement and in fact is counter-intuitive to the GFIPM Cryptographic Trust Model. GFIPM anchors trust on being within the trust fabric or not, and the equivalent of a certificate revocation is handled by removal from the trust fabric. In most cases it is not practical for certificates to include CRLs since the certificates are self-signed. There is another Powershell command available to change this ADFS requirement:

 Set-ADFSRelyingPartyTrust -TargetIdentifier <url> -Identifier <url> -EncryptionCertificateRevocationCheck 'None'

To review the full details of this command review the Microsoft Documentation.

Name IDs

When initiating federated SSO, it is frequently necessary to request a specific Name ID type. GFIPM supports two Name ID types (case sensitive) within GFIPM Web Browser User-to-System Profile:

To specify a specific NameID type within ADFS you can use a PowerShell command:

 set-adfsClaimsProviderTrust –targetName “Claim Provider’s Name” –RequiredNameIdFormat “urn:oasis:names:tc:SAML:2.0:nameid-format:transient”


Main Page