...
Support for WS-Federation is currently provisioned and secured using the same metadata sources used for SAML. A profile of SAML metadata for use by WS-Federation peers was developed for the Shibboleth 1.3 release and remains supported in Shibboleth 2.0.
So the first step in enabling this support is to obtain or create metadata for the IdP following the profile. Without it, nothing will happen when you try to use the SP's features, or you'll get a metadata-related error.
...
To load the extension, each library must be added to the <Extensions>
element in the <OutOfProcess>
and <InProcess>
elements like so (the example isn't complete, only the relevant parts are shown):
Code Block | ||||
---|---|---|---|---|
| ||||
<OutOfProcess> <Extensions> <Library path="adfs.so" fatal="true"/> </Extensions> </OutOfProcess> <InProcess> <Extensions> <Library path="adfs-lite.so" fatal="true"/> </Extensions> </InProcess> |
Note |
---|
Extensions are not loaded dynamically. You will need to restart the relevant services after adding the above configuration |
Enabling the WS-Federation Protocol (SP V2.4 and Above)
...
- Add an
<md:AssertionConsumerService>
withBinding="http://schemas.xmlsoap.org/ws/2003/07/secext"
to the list of endpoints. Theindex
attribute is generally not important but should be unique.
Code Block | ||||
---|---|---|---|---|
| ||||
<md:AssertionConsumerService Location="/ADFS" index="10" Binding="http://schemas.xmlsoap.org/ws/2003/07/secext"/>
|
- Add a
<SessionInitiator>
withtype="ADFS"
to one or more of your initiator chains.
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- If outside of a chain, add Location="/Login" -->
<SessionInitiator type="ADFS" acsIndex="10"/>
|
...
- If you want to support SP-initiated logout using the WS-Federation signout protocol, then add a
<LogoutInitiator>
withtype="ADFS"
to one or more of your logout chains, ahead of the element withtype="Local"
.
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- If outside of a chain, add Location="/Logout" -->
<LogoutInitiator type="ADFS"/>
|
...
To support ADFS claims passed as SAML attributes, you'll need to include the XML attribute/value of nameFormat="http://schemas.xmlsoap.org/claims"
inside each <Attribute>
element that specifies an ADFS claim.
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- WS-Fed attributes -->
<Attribute nameFormat="http://schemas.xmlsoap.org/claims" name="CommonName" id="cn"/>
<Attribute nameFormat="http://schemas.xmlsoap.org/claims" name="EmailAddress" id="email"/>
<Attribute nameFormat="http://schemas.xmlsoap.org/claims" name="UPN" id="userPrincipalName"/>
<Attribute nameFormat="http://schemas.xmlsoap.org/claims" name="Group" id="group"/>
|
...