12. Active Directory Federation Services 2.0 (AD FS)

AD FS 2.0 supports SAML 2.0 in IDP mode and can be easily integrated with SAML Extension for both SSO and SLO. Before starting with the configuration make sure that the following pre-requisites are satisfied:

12.1 Initialize IDP metadata

  • Download AD FS 2.0 metadata from e.g. https://adfsserver/FederationMetadata/2007-06/FederationMetadata.xml

  • Store the downloaded content to sample/src/main/resources/metadata/FederationMetadata.xml

  • Modify bean metadata in sample/src/main/webapp/WEB-INF/securityContext.xml and replace classpath:security/idp.xml with classpath:security/FederationMetadata.xml and add property metadataTrustCheck to false to skip signature validation:

    <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
    		<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
    				<bean class="java.util.Timer"/>
    				<bean class="org.opensaml.util.resource.ClasspathResource">
    					<constructor-arg value="/metadata/FederationMetadata.xml"/>
    			<property name="parserPool" ref="parserPool"/>
    		<bean class="org.springframework.security.saml.metadata.ExtendedMetadata"/>
    	<property name="metadataTrustCheck" value="false"/>

12.2 Initialize SP metadata

  • Deploy SAML 2 Extension war archive from sample/target/spring-security-saml2-sample.war, or use embedded Tomcat with command: mvn tomca7t:run

  • Open browser to e.g. https://localhost:8443/spring-security-saml2-sample, making sure to use HTTPS protocol

  • Click Metadata information, select item with your server name in the Service providers list

  • Store content of the Metadata field to a document metadata.xml and upload it to the AD FS server

  • In AD FS 2.0 Management Console select "Add Relying Party Trust"

  • Select "Import data about the relying party from a file" and select the metadata.xml file created earlier. Select Next

  • The wizard may complain that some content of metadata is not supported. You can safely ignore this warning

  • Continue with the wizard. On the "Ready to Add Trust" make sure that tab endpoints contains multiple endpoint values. If not, verify that your metadata was generated with HTTPS protocol URLs

  • Leave "Open the Edit Claim Rules dialog" checkbox checked and finish the wizard

  • Select "Add Rule", choose "Send LDAP Attributes as Claims" and press Next

  • Add NameID as "Claim rule name", choose "Active Directory" as Attribute store, choose "SAM-Account-Name" as LDAP Attribute and "Name ID" as "Outgoing claim type", finish the wizard and confirm the claim rules window

  • Open the provider by double-clicking it, select tab Advanced and change "Secure hash algorithm" to SHA-1

12.3 Test SSO

Open the sample at e.g. https://localhost:8443/spring-security-saml2-sample, select your AD FS server and press login. In case Artifact binding is used and SSL/TLS certificate of your AD FS is not already trusted, import it to your samlKeystore.jks by following instructions in the error report.