0

We have ADFS and want to add a 3rd party application as trusted to it. I have certificate and metadata (xml) URI to give them but want to have a checklist what they need to give me. So far

  • HTTP location of their federation server
  • which active directory fields they want exposed in SAML

Is there anything else required?

Out of Band
  • 9,150
  • 1
  • 21
  • 30
Rott
  • 15
  • 3
  • I'm not an expert in the technologies in your question, but the tag [trusted-computing], according to its tag wiki, is specifically for TPMs and other trusted-execution chips on a motherboard. Are you sure it's appropriate for this question? – Mike Ounsworth Mar 31 '17 at 19:30

1 Answers1

0

I guess we are assuming the relying party is a SAML2 based relying party. Else, you should be inquiring what protocols they support. (e.g. WS-Federation/WS-Trust, SAML2, OAuth2,OpenID Connect). Not all of these protocols are supported on every AD FS version. These are all supported in Windows Server 2016 based AD FS.

What is the token format they expect? (SAML 1.1, SAML 2.0, JWT)

The URI used by them to uniquely identify themselves to your AD FS.

You should get details of the endpoints to which the tokens should be posted at logon and the type. (e.g. is it a POST binding vs redirect binding). And the logout endpoint too.

What claims they expect and what format of values. Its up to you to decide whether to extract them from AD, SQL, AD LDS or some custom attribute store.

Do they expect the tokens to be encrypted? if yes, they should provide the public portion of a cert which you'd use for encrypting tokens for only the relying party to view.

What signing algorithms they support (SHA1 vs SHA256)

Do they want a Name identifier? If so, what type (transient/persistent etc).

These are some of the questions you'd ask to ensure you can correctly configure a relying party trust. If they have metadata then configuring the trust becomes a lot easier and they can specify in metadata the answers to these questions.

maweeras
  • 166
  • 2