Setting up AD FS SAML Federation with a Shibboleth SP - Walkthrough Guide

Shibboleth is an open-source software project that provides SAML and WS-Federation protocol support. Since it talks standard protocols, AD FS can be configured to grant access to resources protected by Shibboleth. Prerequisites AD FS 2.0 installed and working at https://your-domain/adfs/ls/. For simplicity's sake, this post will install Shibboleth onto the same machine as AD FS. […]

Shibboleth is an open-source software project that provides SAML and WS-Federation protocol support. Since it talks standard protocols, AD FS can be configured to grant access to resources protected by Shibboleth. Prerequisites AD FS 2.0 installed and working at https://your-domain/adfs/ls/. For simplicity's sake, this post will install Shibboleth onto the same machine as AD FS. It also assumes the default AD FS identifier is used: https://your-domain.com/adfs/services/trust. Download and install 32-bit or 64-bit Shibboleth package as appropriate to your server. Restart your computer when prompted.

Configure Shibboleth

Edit c:\opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml as follows (bold indicates text you'll need to change to reflect your environment):

  1. Replace <Site id="1" name="sp.example.org"/> with <Site id="1" name="your-domain.com"/>
  2. Replace <Host name="sp.example.org"> with <Host name="your-domain.com">
  3. Enable request/response signing (necessary for single logout to work) by setting the signing attribute of the ApplicationDefaults element to true
  4. Set the entityID attribute of the ApplicationDefaults to https://your-domain.com/shibboleth
  5. Under the Sessions element, change the first SessionInititator example to refer to your AD FS instance by setting the entityID attribute to https://your-domain.com/adfs/services/trust
  6. Tell Shibboleth where to find AD FS's metadata. Under the MetadataProvider element, add:

More Info: A Quick Walkthrough: Setting up AD FS SAML Federation with a Shibboleth SP