Have an external web application our company is going to use at a hosting company. They sent us the setup for PingOne invited SSO. Everything seems pretty straightforward. I began setting up our ADFS environment here at our organization.
- ADFS01 - Internal Server and the first in the ADFS farm in the organization. Server 2016
- ADFSProxy01 - ADFS proxy server in the DMZ (nat'd to an external IP). Server 2016.
- ADFS.Samplecompany.com - DNS name for the ADFS federation name internally. Also points to the nat'd external IP for the proxy server externally.
Networking: I did all the networking. Opened up the DMZ proxy server to the internal ADFS server on 443. Opened up outside to the proxy server on 443.
Certificates: Used a wildcard cert (*.samplecompany.com) and used that cert for the ADFS environment. The Service communications is using this cert and during the setup the Token-Decrypting cert and the Token-signing cert were all done automatically by the wizard and are self signed.
I took this same cert(wildcard) and applied it during the setup for the trust connection between the DMZ proxy server and the internal ADFS server. The trust relationship is up and working through the remote access role on the proxy server. http://imgur.com/a/noV5R
I can successfully head to an outside computer and go to https://adfs.samplecompany.com/FederationMetadata/2007-06/FederationMetadata.xml and am able to download that file, so that tells me the ADFS environment is up and the proxy is working properly. When I go to import the Metadata file from Ping One I get the following error on the beginning of setting up a Relying Party Trust. http://imgur.com/a/ER1SL
All of the URLs in the .xml file are reachable by my internal ADFS server when I put them into Chrome. I don't actually see any traffic leaving my ADFS01 server out to the internet to try and download anything (I'm not sure if it's supposed to). I appreciate any help, this is literally the first SAML application I'm trying to setup and it feels like I've got everything right but the first step in setting up the connection between my organization and another is failing. Not sure if it's a certificate issue or what I'm missing.
