Child pages
  • AD FS Metadata Config

The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.

Skip to end of metadata
Go to start of metadata

Microsoft AD FS Metadata Configuration

Although Microsoft AD FS is not able to directly consume the InCommon metadata aggregate, there are numerous third-party tools that can help. One such tool is the ADFSToolkit

Recommended practice for AD FS deployments

AD FS IdP deployments are strongly encouraged to use ADFSToolkit or pysFEMMA to refresh and verify InCommon metadata.



  • AD FS will not consume an <md:EntityDescriptor> element that contains an expired certificate.
  • AD FS will check any CRLs or OCSP endpoints that might be contained in the certificate.
  • AD FS will not consume two <md:EntityDescriptor> elements that contain the same certificate.
  • AD FS will not consume an <md:EntityDescriptor> element containing more than one encryption key.
#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels