The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Microsoft AD FS Metadata Configuration

Although Microsoft AD FS is not able to directly consume the InCommon metadata aggregate, there are numerous third-party tools that can help. Perhaps the most popular tool is the FEderation Metadata Manager for ADFS (FEMMA) by Cristian Mezzetti <cristian.messetti@unibo.it>. The FEMMA tool parses a SAML <md:EntitiesDescriptor> element and creates a directory of files, each one containing a single <md:EntityDescriptor> element that AD FS can consume. A dynamically generated powershell script is used to load the individual entity descriptors into AD FS.

An extension of FEMMA called pysFEMMA is based on PySAML2, an implementation of SAML V2.0 by Roland Hedberg <roland.hedberg@umu.se>. Since pysFEMMA is SAML-aware, it has features that FEMMA does not. In particular, pysFEMMA will verify the XML signature and check the validUntil XML attribute on the metadata aggregate. It will also configure attribute release policy in an AD FS IdP based on entity attributes in SP metadata.

Recommended practice for AD FS deployments

AD FS IdP deployments are strongly encouraged to use pysFEMMA to refresh and verify InCommon metadata.

Limitations

AD FS

  • AD FS will not consume SAML metadata whose root element is an <md:EntitiesDescriptor> element.
  • AD FS will not consume an <md:EntityDescriptor> element that contains an expired certificate.
  • AD FS will check any CRLs or OCSP endpoints that might be contained in the certificate.
  • AD FS will not consume two <md:EntityDescriptor> elements that contain the same certificate.
  • AD FS will not consume an <md:EntityDescriptor> element containing more than one encryption key.

(pys)FEMMA

  • Both FEMMA and pysFEMMA process SP metadata only, and therefore the tools are meant to be used with an AD FS IdP only.
  • FEMMA (and by extension pysFEMMA as well) skips SPs that do not support a SAML2 AssertionConsumerService endpoint via the HTTPS protocol.
  • pysFEMMA is based on PySAML2, which uses the XMLSec library for XML signature operations. XMLSec depends on one of numerous crypto libraries, thus the limitations of pysFEMMA with respect to XML signature (if any) depend on the limitations of the underlying crypto library.

Old versions of OpenSSL are incompatible with SHA-2

If your deployment of pysFEMMA depends on an old version of the OpenSSL crypto library, it may be unable to verify the signature on InCommon metadata. For instance, versions of OpenSSL prior to 0.9.8 are known to be incompatible with SHA-2 and therefore a pysFEMMA installation that depends on OpenSSL 0.9.7 (or earlier) will not be able to verify an XML signature that uses a SHA-2 digest algorithm.

Other Resources

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels