simpleSAMLphp on IIS from scratch (with AD FS)



  • An Identity Provider, for our example, AD FS 2016, but I know it works on 2012 R2 as well.
  • simpleSAMLphp, you can download the latest version on the official website
  • IIS (or any web server but the guide will be focused on IIS) with PHP already installed.
    • The web server must be reachable via HTTPS, even behind a Load Balancer is fine:
      • End User << [HTTPS] >> Load Balancer VIP << [HTTP] >> Web Server
    • The simpleSAMLphp installation must be on the same web server as the web applications you want to integrate with AD FS (or any other IdP).
  • OpenSSL, this is needed once to generate the certificate and the key that will be used by simpleSAMLphp and AD FS to trust each other.
  • A service account for simpleSAMLphp’s Application Pool which is set as local Administrator on the server.
    • If you know that all of your web applications will use a single account (even IUSR), then you’re fine with the default application pool configuration, however you’ll run into troubles when trying to leverage simpleSAMLphp running with IUSR, from another web application running as another account. When using an account, either local or domain (even SYSTEM, which I don’t recommend), which is a local administrator, you’ll be able to use other web applications that will run as a different user.

4 thoughts on “simpleSAMLphp on IIS from scratch (with AD FS)

  1. Great.
    Question you have the simplesaml install going to a application folder , i thought virtual directory under IIS was the preferred

    1. Thanks Dan! That’s why I wrote about it. It took me a while to get all of the pieces together and working out what config worked best.

Leave a Reply

Your email address will not be published. Required fields are marked *