...
- Use pysFEMMA to refresh and verify metadata (since AD FS 2.0 will not consume SAML metadata whose root element is an
<md:EntitiesDescriptor>element) - Ensure that all SP partners support and use SAML V2.0 (since AD FS 2.0 does not support SAML V1.1)
- Ensure that all SP partners follow InCommon recommendations regarding certificates in metadata. Specifically:
- certificates should be self-signed (since AD FS 2.0 will actually try to check any CRLs or OCSP endpoints contained in the certificate)
- certificates should not be expired (since AD FS 2.0 will not consume an
<md:EntityDescriptor>element that contains an expired certificate) - certificates should not be shared (since some versions of AD FS 2.0 will not consume two
<md:EntityDescriptor>elements that contain the same certificate) - redundant certificates should be avoided (since AD FS 2.0 will not consume an
<md:EntityDescriptor>element containing more than one encryption key)
- Ensure that no SP partners include a
<samlp:Scoping>element in theAuthnRequest(since AD FS 2.0 will reject such a request)
...