I seem to be running these on just about every installation I do these days so thought it would be worthwhile to note them.
Login with email address
This seems to be more and more common.
Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID mail -LookupForests company.co.nz
There are some gotchas with this especially if you are thinking of extending out to Azure (via AD Connect) at some point.
Configuring Alternate Login ID
Certificate revocation
Most Dev. instances don't have access to the extranet. The ADFS login
will be slower because ADFS will try and check for certificate
revocation.
So it makes sense to remove this functionality.
Set-AdfsRelyingPartyTrust -TargetIdentifier urn:xxx -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck None
Skew
Although the time across servers should be consistent, in a lot of cases it isn't. This means that if the ADFS server is ahead, the SAML token will be in the future and the SAML RP will reject it.
Some SAML RP that I have dealt with have the skew hard coded so it cannot be altered.
The best solution is to ensure that the server time is synchronised but if that is not possible, you can "back date" the time in the token. The cmdlet below sets the time 3 minutes backwards.
Set-AdfsRelyingPartyTrust -TargetIdentifier urn:xxx:de -NotBeforeSkew 3
ADFS Not Before Time Skew
Enjoy!
No comments:
Post a Comment