ADFS configuration reference

Configure ADFS in the PE console with these settings and values.

ADFS configuration values

In the PE console, configure these values in the Identity provider information and Service provider configuration options sections of the SSO configuration page.

Setting Maps to ADFS configuration value
Display name display_name Example: "ADFS"
Identity provider entity ID idp_entity_id

An HTTP or HTTPS URL indicating the ADFS Identifier.

To find your URL, in the ADFS Microsoft Management Console, click Edit Federation Service Properties.

Example: "http://<federation service name>/adfs/services/trust"
Identity provider SSO URL idp_sso_url

The ADFS Single Sign On URL.

To find your SSO URL, in the ADFS Microsoft Management Console, navigate to ADFS > Service > Endpoints. Under Token Issuance, in the Type column, click the endpoint that specifies SAML 2.0/WS-Federation.

Example: "https://<federation service name >/adfs/ls/"
Identity provider SLO URL idp_slo_url

The ADFS Single Sign On URL with ?wa=wsignout1.0 added to the end.

Example: "https://<federation service name>/adfs/ls/?wa=wsignout1.0"
Identity provider SLO response URL idp_slo_response_url

The same as the ADFS SLO URL.

Example: "https://<federation service name>/adfs/ls/?wa=wsignout1.0"
IdP certificate idp_certificate

The ADFS Token Signing certificate.

To get the certificate, run this PowerShell script on your ADFS server:

$cert = Get-AdfsCertificate -CertificateType Token-Signing | ? IsPrimary -eq $true
$oPem = New-Object System.Text.StringBuilder
$oPem.AppendLine("-----BEGIN CERTIFICATE-----")
$oPem.AppendLine([System.Convert]::ToBase64String($cert.Certificate.RawData,1))
$oPem.AppendLine("-----END CERTIFICATE-----")
$oPem.ToString() | out-file ./adfs_token_signing.pem

Example: 

-----BEGIN CERTIFICATE-----
MIIGADCCA+igAwIBAgIBAjANBgkqhki
...
STkGww==
-----END CERTIFICATE-----
Name ID encrypted? name_id_encrypted true
Sign authentication requests? authn_request_signed true
Sign logout response? logout_response_signed true
Sign logout requests? logout_request_signed true
Require signed messages? want_messages_signed false
Require signed assertions? want_assertions_signed true
Sign metadata? sign_metadata true
Require encrypted assertions? want_assertions_encrypted true
Require name ID encrypted? want_name_id_encrypted true
Requested authentication context requested_auth_context urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Requested authentication context comparison requested_auth_context_comparison exact
Allow duplicated attribute name? allow_duplicated_attribute_name false
Validate xml? want_xml_validation true
Signature algorithm signature_algorithm rsa-sha256

Attribute binding values for ADFS

In the PE console, add these values in the Attribute binding section of the SSO configuration page.

Attribute binding value ADFS value
User http://schemas.xmlsoap.org/claims/CommonName
Email http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Display name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Groups http://schemas.xmlsoap.org/claims/Group

Related information