This document is work in progress!
In this tutorial, you configure Active Directory Federation Services (AD FS) 3.0 as the federated authenticator in WSO2 Identity Server (WSO2 IS) using SAML. Let's take a look at the steps you need to follow:
Configuring Active Directory Federation Services (AD FS)
Follow the steps given below to add WSO2 IS as the relying party AD FS.
- Go to the AD FS management console and expand Trust Relationship.
- Right click on Relying Party Trust and select Add Relying Party Trust.
- Click Start > . Next on the wizard.
- Enter a preferred name to represent WSO2 Identity Server (relying party) and click Next.
- Select the AD FS Profile and click Next.
- Click Next again as you are not using an encryption profile for this tutorial.
- Enter the SAML 2.0 SSO service URL of the relying party as the commonauth endpoint.
The endpoint for WSO2 IS is
Enter a value for the relying party trust identifier and click Next.
The same value that is entered here needs to be used when configuring the identity provider on WSO2 IS.
Click Next as multi factor authentication is not required for this tutorial.
- Select Permit all users to access this relying party and click Next.
- Review the settings and click Next.
- Click Close to finish adding the relying party trust.
The Claim Rules dialogue wizard opens.
In the Edit Claim Rule dialogue specify the claims that needs to be sent to the relying party.
In this tutorial, let's send the SAM-Account-Name LDAP attribute as a NameID claim.
Click Add Rule.
Set a Claim rule name and map the SAM-Account-Name to the E-Mail Address.
Click Add Rule again to transform the email address claim to a NameID claim.
Select Transform an Incoming Claim and click Next.
Set the Claim rule name.
Select the incoming claim type as E-Mail Address and outgoing claim type and ID format as Name ID and Unspecified respectively.
Click Finish > Apply.
Close the claim rules dialogue box
Configure the Relying Party Trust properties.
Right click on the Relying Party Trust you just created and select Properties.
Open the Signature tab and click Add.
Add the certificate.
You can use any of the two methods listed below depending on your WSO2 IS configurations.
When the Service Provider in WSO2 IS is under the super tenant domain, the public certificate of WSO2 IS needs to be uploaded
Else, the public certificate of the tenant domain needs to be selected. The public certificate of the tenant can be exported from the Key Management feature of the WSO2 IS management console.
In this tutorial, the service provider is added in the super tenant domain and the default keystore is not changed. Therefore, the default
wso2carboncertificate that is in the
<IS_HOME>/repository/resources/securitydirectory is used.
Yes to proceed when following dialogue appears.
Open the Endpoint tab to set the SAML logout endpoint.
Click Add SAML.
Select SAML Logout as the value for the Endpoint Type and the Binding as the value POST.
Set the Trusted URL as https://<AD_FS_server>/adfs/ls and the Response URL as the
/commonauthendpoint of WSO2 IS.
Save the property settings of the relying party.
Configure AD FS as an Identity Provider in WSO2 IS. You need to add the Token signing certificate of AD FS when configuring WSO2 IS.
Follow the steps given below to export the token signing certificate of WSO2 IS:
In the AD FS management close, click Certificates that is under Service.
Right click on the Token-signing certificate and select View Certificate.
Open the Details tab and click Copy to File.
Follow the Certificate Export Wizard by clicking Next.
Select the Base-64 encoded X.509 (.cer) option and click Next.
Save the certificate to a desired location and click Finish.
You have successfully configured AF DS. Next, you need to configure WSO2 IS for federated authentication.
Configuring WSO2 IS for Federated Authentication
Follow the steps given below to configure WSO2 IS to use AF DS as the Identity Provider (IdP).
- Login to IS Management console.
- Click Add under Identity Providers.
- Provide a unique name for the IdP and add the Token-signing certificate of ADFS by clicking the Browse button.
- Expand Federated Authenticators and Expand SAML Web SSO Configuration.
- Click Configure to start configuring the SAML 2 Web SSO configurations.
- Check Enable SAML2 Web SSO.
- Identity Provider Entity Id: This can be found in entityID attribute. The can be accessed through https://<AD_FS_server>/FederationMetadata/2007-06/. The Entity ID is usually in the form
- Service Provider Entity Id should be same as what’s given in AD FS RP trust identifier. eg:wso2-is
- SSO URL should be in the form of http://<AD_FS_server>/adfs/ls.
- Check Enable Logout.
- Logout URL should be the same as SSO URL.
- Check Enable Logout Request Signing.
- Select HTTP Binding as POST.
- Click Register to save the IdP.