AD FS 2.0 supports SAML 2.0 in IDP mode and can be easily integrated with SAML Extension for both SSO and SLO. Before starting with the configuration make sure that the following pre-requisites are satisfied:
Install AD FS 2.0 (http://www.microsoft.com/en-us/download/details.aspx?id=10909)
Run AD FS 2.0 Federation Server Configuration Wizard in the AD FS 2.0 Management Console
Make sure that DNS name of your Windows Server is available at your SP and vice versa
Install a Java container (e.g. Tomcat) for deployment of the SAML 2 Extension
Configure your container to use HTTPS, this is required by AD FS (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html)
Download AD FS 2.0 metadata from e.g. https://adfsserver/FederationMetadata/2007-06/FederationMetadata.xml
Store the downloaded content to sample/src/main/resources/metadata/FederationMetadata.xml
Modify bean metadata in sample/src/main/webapp/WEB-INF/securityContext.xml and replace classpath:security/idp.xml with classpath:security/FederationMetadata.xml and add property metadataTrustCheck to false to skip signature validation:
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate"> <constructor-arg> <bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider"> <constructor-arg> <bean class="java.util.Timer"/> </constructor-arg> <constructor-arg> <bean class="org.opensaml.util.resource.ClasspathResource"> <constructor-arg value="/metadata/FederationMetadata.xml"/> </bean> </constructor-arg> <property name="parserPool" ref="parserPool"/> </bean> </constructor-arg> <constructor-arg> <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"/> </constructor-arg> <property name="metadataTrustCheck" value="false"/> </bean>
Deploy SAML 2 Extension war archive from sample/target/spring-security-saml2-sample.war, or use embedded Tomcat with command: mvn tomca7t:run
Open browser to e.g. https://localhost:8443/spring-security-saml2-sample, making sure to use HTTPS protocol
Click Metadata information, select item with your server name in the Service providers list
Store content of the Metadata field to a document metadata.xml and upload it to the AD FS server
In AD FS 2.0 Management Console select "Add Relying Party Trust"
Select "Import data about the relying party from a file" and select the metadata.xml file created earlier. Select Next
The wizard may complain that some content of metadata is not supported. You can safely ignore this warning
Continue with the wizard. On the "Ready to Add Trust" make sure that tab endpoints contains multiple endpoint values. If not, verify that your metadata was generated with HTTPS protocol URLs
Leave "Open the Edit Claim Rules dialog" checkbox checked and finish the wizard
Select "Add Rule", choose "Send LDAP Attributes as Claims" and press Next
Add NameID as "Claim rule name", choose "Active Directory" as Attribute store, choose "SAM-Account-Name" as LDAP Attribute and "Name ID" as "Outgoing claim type", finish the wizard and confirm the claim rules window
Open the provider by double-clicking it, select tab Advanced and change "Secure hash algorithm" to SHA-1
Open the sample at e.g. https://localhost:8443/spring-security-saml2-sample, select your AD FS server and press login. In case Artifact binding is used and SSL/TLS certificate of your AD FS is not already trusted, import it to your samlKeystore.jks by following instructions in the error report.