Share:

In order to be able to use ADFS as a SAML provider, you need to register a relying party at the ADFS instance. On the ADFS server open the AD FS Management and add a relying party trust.

Information

Preparations!
Make sure IS is running and the certificate used for SAML is installed. Otherwise, the FederationMetadata import won't work

Set the ACL for the ADFS certificate to give full access to the "IIS APPPOOL\FireStart AppPool"


Keep the default settings and click Next until the wizard is finished. On completion, you will be asked to add Claim Rules. Add the basic properties as claim. For using the AD search provider you also need to pass through the SID of the AD user as name ID.

Configure IdentityServer

In the appsettings.json the SAML provider and the AD search provider need to be enabled, all other (search) providers need to be disabled.

Provider Settings

  • Scheme: the scheme name
  • EntityId: identifier registered at the SAML Provider for the relying party
  • SamlCert: certificate used for SAML Tokens
  • PartnerIdentityProviderMetadataEndpoint: metadata endpoint of the SAML provider

Search Provider Settings

The search provider settings for Active Directory are the same as described in Using Windows & Active Directory. But make sure you use the Active Directory configured with ADFS and the scheme you selected for SAML.

JSON
{
...
"Provider": {
"Saml": {
"Enabled": true,
"DisplayName": "ADFS",
"Scheme": "adfs",
"EntityId": "https://firestart",
"SamlCert": "427a3d5b39df593b1d44b769d3697xxxf00fd83f",
"PartnerIdentityProviderMetadataEndpoint": "https://dc01.firestart-demo.com/federationmetadata/2007-06/FederationMetadata.xml"
},
"Azure": {
"Enabled": false
...
},
"Windows": {
"Enabled": false
...
}
},
"SearchProvider": {
"External": {
"Enabled": false,
...
},
"ActiveDirectory": {
"Enabled": true,
"Scheme": "adfs",
"SearchUserWithinOU": false,
"Domains": [
{
"Domain": "firestart-dev.local",
"FQDN": "",
"Username": "administrator",
"Password": "<YourSecret>"
}
],
"Name": "adfs"
},
"Graph": {
"Enabled": false,
...
}
}
}



Previous | Next