Microsoft ADFS does not directly consume the InCommon metadata aggregate. However, there are numerous third-party tools that can help. One such tool is the ADFSToolkit
AD FS IdP deployments are strongly encouraged to use ADFSToolkit or pysFEMMA to refresh and verify InCommon metadata. |
<md:EntityDescriptor>
element that contains an expired certificate.<md:EntityDescriptor>
elements that contain the same certificate.<md:EntityDescriptor>
element containing more than one encryption key.<ds:X509Data>
child element, and will fail to consume metadata with any other key material present in the XML digital signature besides a single instance of this element. This item was introduced in a fix for CVE-2019-1006**You may be able to use ADFSToolkit or the attached XSLT to work around this problem. IF you use the XSLT, it is CRITICAL that you use some other method such as xmlsectool to verify the signature on metadata before stripping it and loading the metadata into ADFS, otherwise ADFS is susceptible to man-in-the-middle attacks. |
Can't find what you are looking for?