...
- Use pysFEMMA to refresh and verify metadata (since AD FS 2.0 will not consume SAML metadata whose root element is an
<md:EntitiesDescriptor>element) - Ensure that all SP partners support and use SAML V2.0 (since AD FS 2.0 does not support SAML V1.1)
- Ensure that all SP partners follow InCommon recommendations regarding certificates in metadata. Specifically:
- certificates should be self-signed (since AD FS 2.0 will actually try to check any CRLs or OCSP endpoints contained in the certificate)
- certificates should not be expired (since AD FS 2.0 will not consume an
<md:EntityDescriptor>element that contains an expired certificate) - certificates should not be shared (since AD FS 2.0 will not consume two
<md:EntityDescriptor>elements that contain the same certificate) - redundant certificates should be avoided (since AD FS 2.0 will not consume an
<md:EntityDescriptor>element containing more than one encryption key)
- Ensure that no SP partners include a
<samlp:Scoping>element in theAuthnRequest(since AD FS 2.0 will reject such a request)
Recognizing the limitations of AD FS, the international REFEDs community is calling upon Microsoft to address this situation. Visit the adfstoolkit.org web site to add your voice to this effort.
...