Questions tagged [adfs]
Microsoft Active Directory Federation Service is an identity federation technology that provides single sign on access to web services and web applications using WS-* and SAML.
366
questions
94
votes
1
answer
242k
views
What is ADFS (Active Directory Federation Services)?
So I've been told that our PHP application may need to support authentication using ADFS.
For a non-Microsoft person, what is ADFS?
How does it differ to things like LDAP?
How does it work? What ...
- 1,514
49
votes
7
answers
19k
views
If a Windows shop moves "everything" to the cloud, does it still need Active Directory?
Taking a spin off of this question: Do I really need MS Active Directory? in a new direction for 2014.
Taking into account a basic Windows infrastructure:
domain controllers
Exchange 2007/2010/2013
...
- 32.7k
16
votes
3
answers
80k
views
An error occurred while using SSL configuration for endpoint 0.0.0.0:443
Based on information received from the network team. I have determined that the issue most likely rests with the application servers on the WAN.
After replacing the certificate, I ran the PowerShell ...
- 181
12
votes
1
answer
18k
views
ADFS - Restrict to AD Group
I just implemented an ADFS server to connect a third-party chat tool with our Active Directory via SAML 2.0.
Everything works fine so far but there's a little problem: As soon as a user logs in, the ...
- 431
11
votes
1
answer
2k
views
Microsoft Exchange Federation Trust Broken After Verifying in Office 365
Okay so...this all started during our Office 365 setup. According to Microsoft, you have to delete your on-premises federation trust from Exchange, verify the domain, then add it back...otherwise you ...
- 15.1k
8
votes
3
answers
2k
views
Can ADFS connect to other SSO services?
I have a .net application that's wired up to my local ADFS server (connected to our corporate AD server) and everything is working fine. My question is, can my ADFS establish a trusted connection to ...
- 295
8
votes
1
answer
33k
views
What is the SAML Assertion Consumer URL for an AD FS 2.0 Service Provider
I am configuring a service provider to use SSO authentication. I will be using AD FS 2.0 for this.
What is the URL for the SAML Assertion Consumer that I need to give to the IdP?
I think it may be ...
- 89
7
votes
2
answers
22k
views
Why can a user log in via more than one UPN?
I've changed the for all users UPN suffix of a company from us.mycompany.local to mycompany.com in order to use claims-aware applications. In testing before the change I discovered that even if I ...
- 24.1k
7
votes
2
answers
3k
views
Is ADFS a must-have, when you deploy hybrid exchange server?
With AADC implemented in our AD and Office 365, we want to deploy a hybrid Exchange next, is ADFS a must? Thanks!
- 71
7
votes
2
answers
10k
views
How can the x-frame-options HTTP header of ADFS 3 be manipulated?
By default, ADFS 3 responses contain the "X-Frame-Options: DENY" HTTP header. This prevents ADFS from being run in an iframe, because this presents an opportunity for clickjacking attacks.
...
- 71
7
votes
0
answers
1k
views
Signout with ADFS3 with SAML
I have implemented SSO using ADFS3. I have a logout button for sign out and it’s working fine with my ws-federation passive endpoints. On logout I redirect user to logout.aspx page and there I have ...
- 171
6
votes
1
answer
5k
views
Can you obtain a list of users via ADFS?
I need to implement a company website that would be accessed from the outside of the company. It is required that the users are able to login with the same credentials as they access the company ...
- 329
6
votes
1
answer
5k
views
Support for refresh tokens in ADFS 2.2 OAuth flow
My colleague and I are trying to enable OAuth in ADFS 2.2. Everything is working except the server only passes back an access token (w/ expiration) and does not include a refresh token after ...
- 113
6
votes
2
answers
2k
views
Windows Identity Foundation (WIF) application + ADFS 2.0 on Classic pipeline mode - Is it possible?
I have a working test application that uses Windows Idendity Foundation SDK and ADFS 2.0 for authentication, which runs on Windows Server 2008 R2, IIS 7.5, Integrated managed pipeline application pool ...
- 111
5
votes
2
answers
7k
views
Send objectGUID as an AD FS 2.0 Claim
I would like to send objectGUID as a claim with AD FS 2.0 running on Windows Server 2012.
I know I can create Issuance Transform Rules for a Relying Party Trust, but how does AD FS 2.0 know about ...
- 155
5
votes
3
answers
10k
views
send NameID claim without encryption in ADFS 2.0
My Service Provider issues a SAML 2.0 AuthRequest with a NameIDPolicy tag like so:
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
...
- 312
5
votes
3
answers
13k
views
Is it a bad idea to install ADFS on the AD server itself?
Working with a client to configure ADFS, just got this in an e-mail:
"We are using Server 2008 Enterprise with AD, GP, DNS and DHCP running on the same box."
And now he indicates he wants to also ...
- 896
5
votes
1
answer
454
views
Does an ADFS v2 server have to be on the actual domain server?
Can an ADFS v2 server be installed stand-alone, or is it tightly coupled with the AD server?
- 620
5
votes
3
answers
41k
views
Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain
I'm using federated identity for Office-365 single sign-on. I have added the password change endpoint to my ADFS 3.0 server, and successfully opened the adfs update password page. However, whenever I ...
- 131
5
votes
1
answer
6k
views
ADFS SAML Single Logout
I'm dealing with a web application hooked up to ADFS as a relying party, for single sign on integration with a partner claims provider. It's all via SAML (not WS Federation.) The web app is .NET and ...
- 51
5
votes
1
answer
1k
views
How do I enable SAML Passive Authentication in ADFS 3.0?
For several years, I've used ADFS 2.x as a SAML IDP that works with SAML Passive Authentication. When the isPassive=true flag was set on the Request, the Response would include the following ...
- 161
4
votes
2
answers
16k
views
ADFS Error - MSIS9605: The client is not allowed to access the requested resource
I have an on-premise installation of Dynamics CRM 2016 which has claims-based authentication configured using an ADFS 4.0 (Server 2016) instance. Logging into CRM works fine via ADFS. I have a ...
- 141
4
votes
1
answer
4k
views
Bulk update displayname attribute to match cn attribute for all AD groups
We are setting up ADFS for identity federation with a Microsoft Online service. The documentation states that "Groups without a displayname will NOT get synchronized..." We have over 250 groups that ...
- 1,192
4
votes
2
answers
6k
views
Issue multiple claims in a single rule
Is there a simple way to issue multiple claims in a single ADFS Claim rule? The only example I can see is ones which query an attribute store, and each retrieved column is mapped to a different claim ...
4
votes
1
answer
7k
views
Office 365 ADFS authentication not working for child domains
A company is using Office 365 with ADFS authentication; AD Connect is used for directory synchronization, ADFS is the Windows server 2012 R2 version.
The company has multiple Active Directory domains:...
- 70.7k
4
votes
1
answer
2k
views
AD FS - Send AD Attributes to Shibboleth SP
I have an AD FS claims provider set up and a Shibboleth SP successfully authenticating against it.
When I log into the site that's protected by Shibboleth, the index shows all of the headers. I am ...
- 595
4
votes
2
answers
5k
views
ADFS - Combining Claims from Provider Trusts and AD
As part of implementing a SharePoint 2013 installation, I have configured SSO with ADFS on Windows Server 2012R2.
There are two separate AD forests, one as part of the Hosted SharePoint/ADFS and one ...
- 383
4
votes
2
answers
43k
views
Issue connecting to AD FS configuration database
I just installed the AD FS role on my DC using the Windows Internal Database. All seemed to be fine after I set everything up, however, once I restarted my DC, when attempting to load the AD FS ...
- 53
4
votes
1
answer
2k
views
Certificate errors on ADFS 2.0 + ASP.NET development environment with two or more domains
I'm trying to set up a claims-aware web app development environment. I am new to ADFS 2.0 and ultimately, I want to be able to authenticate against two different domains. I think I am very close but I'...
- 251
4
votes
2
answers
6k
views
Using ADFS 2.0 for Google apps single sign on
Microsoft Active Directory Federation Services 2.0 has been recently released, and it has passed interoperability tests for SAML 2.0.
Does this mean that is can be used to authenticate users of ...
- 131k
4
votes
0
answers
5k
views
How should the relying trust be set up in ADFS for SAML-based SSO?
We've done SAML-based SP-initiated SSO with a number of customers, and it's all been ok (eventually).
We've got a customer now who's using ADFS. We can get idP-initiated to work fine, but with SP-...
- 141
3
votes
1
answer
4k
views
Cannot set CORSEnabled and CORSTrustedOrigins properties on ADFS 2019
The Problem:
There are properties in ADFS 2019 that indicate that you can enable CORS Headers for the ADFS Login Page and set the allowed origins.
Get-AdfsProperties
CORSEnabled ...
- 147
3
votes
3
answers
49k
views
ADFS Passive Request = "There are no registered protocol handlers"
Im trying to configure ADFS to work as a Claim Provider (I suppose AD will be the identity provider in this case).
Just for simple testing, ive tried the following on windows server 2016 machine:
1) ...
- 181
3
votes
3
answers
22k
views
ADFS and relying party token-signing certificates
I haven't quite gotten the grasp of relying party token-signing certificate's functionality with ADFS 2.0 / 3.0. Once the automatic self-signed certificate roll-over occurs (by default), there are ...
- 49
3
votes
3
answers
3k
views
Does ADFS work with SSL offloading?
Does ADFS work with SSL offloading? Ive only seen ADFS with SSL certificates on the web servers, and we know it requires SSL. But does this requirement mean it must be all the way through to the ...
- 31
3
votes
2
answers
8k
views
ADFS error after upgrading from ADFS 2.1 to 4.0
I don't know if anyone has seen this issue or has any ideas?
We've recently migrated ADFS from ADFS 2.1 on W2008r2 to ADFS 4.0 on W2016.
Basic functionality seems fine but I'm seeing an issue with ...
- 32k
3
votes
2
answers
9k
views
Security error when adding a secondary ADFS Server
I have created an ADFS server according to the guide on technet. However, when attempting to add a secondary ADFS server using the latter part of this guide on technet, the process fails.
PS > ...
- 287
3
votes
2
answers
2k
views
Office 365 SSO with different internal and external domain names
I'm trying to get SSO to work with Office 365 and Sharepoint online and I'm getting really confused. My internal domain is "internal.com" and my external name is "external.com". external.com is added ...
- 1,131
3
votes
1
answer
361
views
How to integrate Office 365 with Microsoft on-premise Multi-Factor Authentication?
We purchased Microsoft Multi-Factor Authentication (on-premise). How do I integrate that with Office 365?
We have Azure AD Connect syncing on premise AD to Azure. We also have ADFS setup to ...
3
votes
1
answer
4k
views
Can we configure ADFS for IDP initiated SSO
I'm looking for ways of integrating ADFS as a IDP for a SAML2 service provider. I have already configured the SAML2 provider with the verification certificates etc. And we used "Add Relying Party ...
3
votes
1
answer
5k
views
How to move ADFS to new servers?
Environment: an Active Directory forest with multiple domains, several of which are federated with the same Office 365 tenant; directory synchronization is in place, ADFS too. There is a single ADFS ...
- 70.7k
3
votes
2
answers
3k
views
Using Shibboleth with ADFS doesn't work
I'm trying to familiarize myself with Shibboleth 2.5.3 and Active Directory Federation Services (tried both 2.0 and 3.0). What I'd like to achieve is having an Apache server authenticate against ADFS ...
- 133
3
votes
2
answers
2k
views
Custom AD FS Rule for Office 365 MFA ActiveSync Exemption
We setup Office 365 with our RSA keys, and we are looking to exempt our mobile devices and outlook from MFA for now. From what I understand we have to form a custom issuance transform AD FS claim ...
- 643
3
votes
1
answer
2k
views
How to configure ADFS 2.0 to send SAML 2.0 token when using WS-Federation
I have a related party application that can accept SAML 1.0 and 2.0 over WS-Federation. I configured my claims and trust relationship manually and everything works as expected.
I inspected the token ...
- 175
3
votes
1
answer
5k
views
ADFS 2.0 and Shibboleth SP 2.5.3 - Unable to locate Metadata
I am attempting to use Shibboleth SP (64-bit on Windows Server 2008 R2) to authenticate with ADFS 2.0 (64-bit Windows Server 2008 R2).
When I browse to the Shibboleth protected site, I get a 500 error ...
- 595
3
votes
2
answers
9k
views
ADFS 2.0 Farm - How do I perform an immediate sync
We're using ADFS 2.0 on a windows 2008 server, it's in a farm and has the default polling interval of 5 minutes. We're making a change tonight and would rather sync immediately than wait for the ...
- 1,903
3
votes
1
answer
763
views
Where do I purchase token signing certificate for ADFS?
We are integrating with ADFS (SAML) with a customer. The customer requires us to obtain token signing certificate, trusted by well known CA. The certificate will be used to sign SAML requests that are ...
- 133
3
votes
1
answer
2k
views
Configuring Google Chrome to Connect to AD Configured with Kerberos and Using ADFS
I'm trying to configure Google Chrome (and Firefox) to authenticate using Active Directory tunneled through ADFS SAML/Kerberos Endpoints and an Apache application using Shibboleth. Here are some ...
- 153
3
votes
1
answer
3k
views
ADFS 3.0 Need Powershell command to remove Homelink
I am working on a Microsoft Windows Active Directory ADFS 3.0 (2012 R2 specifically) server. I was testing the Set-AdfsGlobalWebContent -Homelink and -Homelinktext options. I'd like to now remove/...
- 358
3
votes
1
answer
10k
views
Why is ADFS not passing credentials through with Integrated Windows Authentiation?
We have an ADFS 2.0 instance set up. We use it for 3rd party web app single sign-on. Everything works beautifully with the existing app, App1 with SAML 2.0, including IWA pass-through when users are ...
- 890