simpleSAMLphp on IIS from scratch (with AD FS)

Creating the Service Provider that we will use with our web app (which we haven't created yet)

Creating the Service Provider that we will use with our web app (which we haven’t created yet)

In order for our web application (which we will build in a little bit) to use AD FS as authentication mechanism, we need to create a Service Provider (SP).

  1. Edit authsources.php under C:\inetpub\wwwroot\simpleSAMLphp\config. This is where all service providers will be stored. You can see a default-sp in there already. You can get rid of it.
  2. Thanks to‘s post, we have all we need to build the SP to correctly interface with AD FS.
    • Note: RelayState is something I’ve added. That’s useful when you have RelayState enabled on the AD FS side and the user tries to login directly from the AD FS page, selecting your application (which we didn’t add yet to AD FS). The RelayState will forward the session to your web app, which in the above, will be located under¬†
    • The SP is called MyPHPTest01-sp.
    • Idp >> This is the AD FS IdP which you can find in the Federation Metadata XML you downloaded earlier. It most likely will be http:// and not https. Remember, that’s just the¬†Entity ID of the IdP and not a URL.
    • privatekey and certificate, are the names of the key and the cert that we moved into the \Cert folder, the ones we created with OpenSSL.

4 thoughts on “simpleSAMLphp on IIS from scratch (with AD FS)

  1. Great.
    Question you have the simplesaml install going to a application folder , i thought virtual directory under IIS was the preferred

    1. Thanks Dan! That’s why I wrote about it. It took me a while to get all of the pieces together and working out what config worked best.

Leave a Reply

Your email address will not be published. Required fields are marked *