Microsoft AD FS Metadata Configuration
Although Microsoft AD FS is not able to directly consume the InCommon metadata aggregate, there are numerous third-party tools that can help. One such tool is the ADFSToolkit
Recommended practice for AD FS deployments
AD FS IdP deployments are strongly encouraged to use ADFSToolkit or pysFEMMA to refresh and verify InCommon metadata.
Limitations
AD FS
- AD FS will not consume an
<md:EntityDescriptor>
element that contains an expired certificate. - AD FS will check any CRLs or OCSP endpoints that might be contained in the certificate.
- AD FS will not consume two
<md:EntityDescriptor>
elements that contain the same certificate. - AD FS will not consume an
<md:EntityDescriptor>
element containing more than one encryption key.