Table of Contents | ||
---|---|---|
|
Support and Terminology between ADFS and Shibboleth
ADFS V1
The first ADFS release is limited to support for the WS-Federation "passive" profile and does not support SAML, so interoperability is confined to the use of Shibboleth extensions for that protocol, which are currently only available for the SP.
A guide for how to configure and use the V2 SP extension can be found at NativeSPADFS.
ADFS V2
The second generation ADFS software supports part of the SAML 2.0 standard as well as WS-Federation. In addition to the material at NativeSPADFS, the following information is relevant to the use of SAML 2.0.
Usable Profiles
To the best of our knowledge, the following SAML 2.0 profiles and bindings can be used:
- Web Browser SSO via Redirect, POST, Artifact
- Web Browser Single Logout (see the tutorial attached to this page)
Metadata
An ADFS instance generates signed metadata on-the-fly at well-known location /FederationMetadata/2007-06/FederationMetadata.xml
. Presumably this metadata file contains a single <md:EntityDescriptor>
element with both <md:IDPSSODescriptor>
and <md:SPSSODescriptor>
roles.
...
Due to these limitations, it's likely that meaningful interoperability will involve filtering or generating specialized metadata for consumption by ADFS, possibly with specialized tools written or adapted from other software.
IdP Discovery
The ADFS SP has an embedded discovery mechanism. Every IdP configured into ADFS appears on a drop-down menu presented to the user.
There is no explicit support for the standardized discovery protocol supported by Shibboleth. The design of ADFS is such that web sites refer users to a local "STS"/federation service that in turn offers some set of authentication options that can include remote/federated IdPs. There's probably some kind of template that can be used to control the UI for this.
NameIdentifiers
The ADFS GUI contains special options for mapping outgoing claims to a SAML NameID, and the reverse. There may or may not be finer grained control of the NameQualifier attributes, but this requires some kind of custom rule that sets the attributes using a custom property syntax that isn't well documented.
...
The ADFS SP can consume a SAML V2.0 Persistent Identifier (including the NameQualifier
and SPNameQualifier
values) but its ability to consume the eduPersionTargetedID
attribute syntax has not been demonstrated. The former is favored for SAML 2.0 deployments in any case.
Attributes
The support for claims mapping is flexible enough to generate standardized attributes, but the IdP lacks support for controlling the NameFormat
attribute. Shibboleth defaults assume "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", but the SP now allows simplified handling of attributes with an unspecified/missing NameFormat
, so no extra work is needed to map them.
...
The SP side is less of a problem, but has the slight bug that it appears to ignore the NameFormat when processing incoming claim identifiers, which is technically broken, since SAML attributes are only unique in name when both Name and NameFormat are combined.
AuthnRequest Issues
So far, it appears that there is no way to make ADFS2 support forced authentication (forceAuthn).
Response Issues
Nothing known at this time.
Logout Issues
ADFS appears to have a bug in the processing of extensions, which in SAML have optional semantics. A 2.5 and later SP by default includes a standard extension in its logout request messages that isn't being ignored. Adding asynchronous="false"
to the <Logout>
element will disable the extension.
...