How to install ADFS 2.0 and configure SAML for SSO (auto login/AD login integration)

I’ve recently had an experience of setting up Single Sign On (SSO) for an application that we sell in work (Oracle RightNow) which provides a SAML 2.0 interface for authentication and found that there is very little, useful instructions on how to install and especially to configure SAML – hopefully this information will help anyone else in a similar situation.

First of all it’s useful to know that Microsoft provide a product called Active Directory Federation Services which enables AD integration to third party services. The version of ADFS that comes with Windows Server 2008 R2 is actually version 1 which isn’t compatible with SAML and so for this article we will be using ADFS 2.0 – this can be downloaded from:http://www.microsoft.com/en-us/download/details.aspx?id=10909 (you must click Continue before you can see the Download button for the appropriate version) and there is additionally a hotfix available from: http://support.microsoft.com/kb/2681584.

Installation
This installation should ideally be carried out on a server that is web facing with an installed (not self-signed) SSL certificate and which has access to Active Directory.

1. Run AdfsSetup.exe
2. Click Next
3. Click “I accept the terms in the License Agreement” and then click Next
4. Click “Federation server” and then click Next (you may wish to setup a proxy and a farm but this is outside of the scope of this article)
5. Click Next
6. Once the installation is complete click Finish (the “Start the AD FS 2.0 Management snap-in when this wizard closes” tickbox is automatically checked)

SAML Configuration

1. Click “AD FS 2.0 Federation Server Configuration Wizard”
2. Click Next (“Create a new Federation Service” should be automatically selected – note that setting up a Federation server farm is out of scope of this article)
3. Click “Stand-alone federation server” and then click Next
4. Select your SSL certificate and the default Federation Service name and click Next (note that this SSL certificate should ideally be signed by a provider e.g. Thawte or Verisign and should be public facing or else you may experience issues further along)
5. Click Next
6. Click Close
7. Click “Required: Add a trusted relying party”
8. Click Start
9. If you have a URL or file containing the configuration use this otherwise select “Enter data about the relying party manually” and click Next
10. Enter a Display name and click Next
11. Select AD FS 2.0 profile and click Next
12. Click Browse and select the same certificate you used earlier and then click Next
13. Select “Enable support for the SAML 2.0 WebSSO protocol”, enter the URL to the service providing the integration and then click Next
14. Enter a “Relying party trust identifier” and click Add, then click Next (note it seems that this is sometimes used by the provider to confirm identification but isn’t always used)
15. Click Next – “Permit all users to access this relying party” is automatically selected, you may want to change this later once testing is complete
16. Click Next
17. Click Close (“Open the Edit Claim Rules dialog for this relying party trust when the wizard closes” should be automatically selected)
18. Click “Add Rule…”
19. Click Next (“Send LDAP Attributes as Claims” should be automatically selected – note that only Active Directory integration is in scope for this article)
20. Enter a “Claim rule name” and then select Active Directory under “Attribute store” (note that only Active Directory integration is in scope for this article)
21. Select an LDAP Attribute e.g. E-Mail Addresses, and a corresponding Outgoing Claim Type e.g. E-Mail Address, and click Finish
22. Click OK

Please note that if your provider authenticates your requests using your SSL certificate Thumbprint then expand Service (in the tree on the left hand side under AD FS 2.0) and click Certificates then double click the certificate under “Token-signing”. Click Details and you will find the Thumbprint at the bottom.

You are now ready to test your SSO:

1. Open up a browser (ideally Internet Explorer) and navigate to https://[server address]/adfs/ls/IdpInitiatedSignon.aspx
2. Select “Sign in to this site” (so that we know it is working) and then click “Continue to Sign In”
3. Your site should be automatically selected so just click Go – your application should now load and you should be successfully logged in!

If you aren’t able to login go back over your settings and make sure that you have gotten everything correct. They key areas for failure are the endpoint URL (step 13 of the configuration) being incorrect, the rules (step 21) not passing the correct authentication data, your Active Directory profile being out of date or lacking data, or your SSL certificate not authenticating correctly (check my note below the configuration steps).