...
- Add a
<SessionInitiator>
withtype="ADFS"
to one or more of your initiator chains.
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- If outside of a chain, add Location="/Login" --> <SessionInitiator type="ADFS" defaultACSIndexacsIndex="10"/> |
It should be placed alongside or in place of the "Shib1"
and "SAML2"
plugins, in order of protocol preference. The acsIndex
property should match your ACS handler's index
from the previous step.If you're using the handler outside of a chain, be sure to add Location="/Login"
to the element.
- If you want to support SP-initiated logout using the WS-Federation signout protocol, then add a
<LogoutInitiator>
withtype="ADFS"
to one or more of your logout chains, ahead of the element withtype="Local"
.
Code Block | ||||
---|---|---|---|---|
| ||||
<LogoutInitiator type="ADFS"/>
|
...
<!-- If outside of a chain, add Location="/Logout |
...
" -->
<LogoutInitiator type="ADFS"/>
|
Attribute Handling
As with most commercial SAML code, ADFS is a bit wonky in its support for SAML attributes. While Shibboleth makes no hardwired assumptions about attribute naming, most commercial code does. In the case of ADFS, a handful of built-in claims are included and any custom claims are generated with a proprietary AttributeNamespace value of "http://schemas.xmlsoap.org/claims"
. On the SP side, interoperation therefore requires that custom entries be added to the attribute extraction configuration (typically attribute-map.xml
).
...