Shibboleth is an open-source software project that provides SAML and WS-Federation protocol support. Since it talks standard protocols, AD FS can be configured to grant access to resources protected by Shibboleth. Prerequisites AD FS 2.0 installed and working at https://your-domain/adfs/ls/. For simplicity’s sake, this post will install Shibboleth onto the same machine as AD FS. It also assumes the default AD FS identifier is used: https://your-domain.com/adfs/services/trust. Download and install 32-bit or 64-bit Shibboleth package as appropriate to your server. Restart your computer when prompted.
Edit c:\opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml as follows (bold indicates text you’ll need to change to reflect your environment):
- Replace <Site id=”1″ name=”sp.example.org”/> with <Site id=”1″ name=”your-domain.com“/>
- Replace <Host name=”sp.example.org”> with <Host name=”your-domain.com“>
- Enable request/response signing (necessary for single logout to work) by setting the signing attribute of the ApplicationDefaults element to true
- Set the entityID attribute of the ApplicationDefaults to https://your-domain.com/shibboleth
- Under the Sessions element, change the first SessionInititator example to refer to your AD FS instance by setting the entityID attribute to https://your-domain.com/adfs/services/trust
- Tell Shibboleth where to find AD FS’s metadata. Under the MetadataProvider element, add: