ADFS can also be configured to authenticate from external provider (we will call it as Claims Provider moving forward) after performing few configuration steps. The steps will involve setting up trust between ADFS and the Claims Provider by binding certificate provided by claims provider in ADFS. We will not be looking into creating new claims provider trust because Microsoft has provided a very nice article for doing so - https://technet.microsoft.com/en-us/library/dn486771(v=ws.11).aspx
Recently I was assigned a task to update the expired Certificate and Federation Metadata for the Claims Provider from metadata file. I didn't find any straight forward article explaining how we can update the existing Claims Provider Trust from a file. Hence wanted to list down the step I followed to update the metadata for existing Claims Provider Trust.
- Add any root certificate you may have received from the Claims Provider to the "Trusted Root Authority"
- Open the Windows Power Shell on ADFS server
- Run the command to add ADFS Powershell Snapin
- Add-PSSnapin Microsoft.Adfs.PowerShell
- Update-AdfsClaimsProviderTrust -TargetName [Name of Claims Provider Trust to update] -MetadataFile [XML file location]
The above step will update the metadata and also the certificate if provided along with Metadata. To check if certificate is present within metadata then search for tag in the metadata file.
Perform the below steps only if you get the following errors at ADFS at the time of login:
- The Federation Service encountered an error while processing the WS-Trust request.Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
- Encountered error during federation passive request
Set-ADFSClaimsProviderTrust
–TargetName [Name of Claims Provider Trust] –SigningCertificateRevocationCheck “None”
*References
No comments:
Post a Comment