simpleSAMLphp on IIS from scratch (with AD FS)

Create a new web application that will require AD FS Authentication

Create a new web application that will require AD FS Authentication

  1. Open IIS and create a new web application.
    • I’ll call it simpleTest (remember, from the RelayState above?)
    • It’ll use the DefaultAppPool (so with simpleSAMLphp running as the other pool, running as a local admin’s user, this will work).
    • Enable Anonymous authentication and Disable Windows authentication if enabled since we want to let the users login via AD FS.
  2. Our simple test web application will require 4 files.’s post explained why we will need 2 “logout” pages. One will actually perform the action and the second one is the landing page. If the landing page was back on the index, you’ll end up being asked to login again.
    • Index.php which I modified a bit from Lewis’ post. I’ve added the redirection to an error.php page in case of errors.
    • Error.php (I didn’t bother adding the HTML tags etc).
      • Note: $s[‘SimpleSAML_Auth_State.exceptionData’]->getMessage() is the one that will contain the error message.
    • logout.php (this doesn’t really need any HTML tag as it’s only performing the logoff and the redirection).
    • logged_out.php (I didn’t bother adding the HTML tags etc).

Here’s an example of the index.php page after logging in through AD FS:

As you can see, I’m using a direct integration with the simpleSAMLphp file C:\inetpub\wwwroot\simplesamlphp\lib\_autoload.php. So we can have as many web applications, that may or may not use the same SP (you can create as many SPs as you want), on the same server.

Just add your second SP right under the first one, you can use the same Cert and Key and add it to AD FS. I’d prefer to have multiple SPs configured as multiple Relying Party Trusts, rather than one for multiple web apps (unless you want to direct the traffic your own way).

At this specific stage, if you wanted to add a new SP and a new web app, you would just follow the last 4 sections:

  1. Create the SP.
  2. Configure the Relying Party Trust in AD FS and the claims.
  3. Test the SP.
  4. Create a new web application.

This is it on how to install and configure simpleSAMLphp on IIS from scratch (with AD FS).

4 thoughts on “simpleSAMLphp on IIS from scratch (with AD FS)

  1. Great.
    Question you have the simplesaml install going to a application folder , i thought virtual directory under IIS was the preferred

    1. Thanks Dan! That’s why I wrote about it. It took me a while to get all of the pieces together and working out what config worked best.

Leave a Reply

Your email address will not be published. Required fields are marked *