simpleSAMLphp on IIS from scratch (with AD FS)

simpleSAMLphp on IIS from scratch (with AD FS)

Configuring the Relying Party Trust in AD FS

Configuring the Relying Party Trust in AD FS

We’re finally ready to finalize the AD FS < > simpleSAMLphp configuration and this is the last step regarding the integration. At this point, you must know what the web application we’ll build later on, needs from the IdP (AD FS). For our testing, let’s say we want AD FS to return the UserPrincipalName, the E-Mail Addresses and the SamAccountName of the user who’s logging on to our application.

  1. Go to https://itdroplets.com/simpleSAMLphp/www and click on the Federation’s tab.
  2. You’ll see a list of SPs and you’ll notice there’s also the one we just added MyPHPTest01-sp.
    • This is basically a list of Entity IDs.
    • The Entity ID link you see there, contains the XML file with the configuration of the SP we’ve added before into authsources.php. This is the reason why I didn’t want to restrict access to the XML link for the Entity IDs, adding them to AD FS will be pretty simple like this and any change to the SP will reflect on the AD FS end too.
  3. Copy the Entity ID you see.
    • https://itdroplets.com/simplesamlphp/www/module.php/saml/sp/metadata.php/MyPHPTest01-sp
  4. Open AD FS and expand Relying Party Trusts on the left pane.
  5. Click Add Relying Party Trust.
  6. Paste the Entity ID in Import data about the relying party published online or on a local network.
    • If you do receive an error at this point, make sure the XML path is reachable:
      • admin.protectmetadata is set to false on config.php
      • Anonymous authentication is enabled
      • Windows authentication is disabled
      • All users are allowed to access the simpleSAMLphp page
    • This is an example of the error you may get when AD FS doesn’t have the rights to access the link you fed it.
  7. If you receive a warning, ignore it.
  8. Specify the Display Name of your app, I’ll call it MyPHPTest01.
  9. Choose the Access Control Policy you want for the web app we will configure in a while.
  10. Now you can review all the info, you’ll see the cert etc.

We’re ready to setup the claims.

  1. Select the Relying Party Trust just created and click on Edit Claim Issuance Policy on the right pane.
  2. Add a new Rule, this is to get the UserPrinciPalName, the e-mail addresses and the SamAccountName. The rule has to be set using the Send LDAP Attributes as Claims template.
    • Specify the Rule name, the Attribute Store and the actual claims.
  3. Add a new rule again, this time using the Transform an Incoming Claim template. This rule is needed (thanks again to lewisroberts.com’s post) for this to work correctly. Configure it like this:

IT Droplets

IT Droplets