Wednesday, November 18, 2015

ADFS : SAML all the way through

I recently set up some ADFS 3.0 ("AD FS") servers as follows:

SP --> SAML --> ADFS A --> xxxx --> ADFS B --> Authenticate

The middle ADFS A is just passing everything through. SAML is the SAML 2.0 protocol.

What protocol is "xxx"?

I had thought that all ADFS to ADFS traffic was WS-Fed but to my surprise it turned out to be SAML. Which caused an error because I had configured the ADFS trust with SHA 256 rather than SHA 1.

So you see the AuthnRequest getting passed all the way up and the Response passed all the way down.

However, when I logged out, it didn't work.

Chatting to Mr. Google, I discovered that the SAML logout doesn't work if the token doesn't have a NameID claim.

So for ADFS B, you need a Transform rule to transform e..g. email to NameID.

And for ADFS A, you need a pass-through rule for NameID. Don't forget you need pass-through rules for all the claims from ADFS B on ADFS A.

Enjoy!

No comments: