I’m an IT infrastructure architect, working in the Netherlands, specialising in the Access Control/ Management space.
-
Follow
Following
Already have a WordPress.com account? Log in now.
I’m an IT infrastructure architect, working in the Netherlands, specialising in the Access Control/ Management space.
The Access Onion 
Hello Mylo, i received your blog from ET, interesting reads !!! I know where I need to be for my KDC problems 😉
Cu @ Quest TEC Frankfurt ?
Toni Vervloet
Hi Toni,
Ha! I shall deny all knowledge if it does work and revel in the glory if it doesn’t .. or is it the other way around 😛
Can’t do TEC this year chum, sadly 😦
Regards,
Mylo
Hi Mylo,
Thanks for the article. I am looking forward to the furture parts of this article as I am trying to establish a trust relationship between OpenAM and ADFS 2.0. In the meantime(before you publish the following parts), could you please give pointers to resources.
Thanks,
Sindhu
Hi Mylo
i have implemented a scenario similar to the one you have details in your artical – Federated SSO Logon with AD FS 2.0 in an Extranet with UAG .
in my case , i had to used .net WIF web application as a bridge for java web app and wif STS as external identity provider for SharePoint portal. .
in the other side, i use UAG in the front and for KCD with SharePoint , ADFS2 as SSO bridge
everything is working just fine, but when i am trying to automate the process by providing the WHR parameter in the request to ADFS, UAG changes the URL in a way ADFS can not understand, so the user need to choose from the drop dawn list for the external STS.
when i am sending the same URL directly to ADFS, the home realm discovery protocol works great and the process is automated …
any suggestions ?
regards
yaron
Hi Yaron,
Sorry I didn’t reply to this earlier. I’ll setup UAG in a sandpit again and test this. Meanwhile, you might want to have a look at an advanced trunk feature called Manual URL Replacement. This looks like it allows reroute of requests (before authentication) to back-end applications.. in this case you may be able to invoke HRD with the WHR parameter specified, thus writing the cookie, before authentication kicks off.
Regards,
Mylo
Hi,
I am configuring ADFS RP thru poweshell cmdlets and I used following script to add RP trust with SignatureAlgorithm to ‘SHA-1’. But it is not changing the secure-hash algorithm to SHA-1 and its pointing to SHA-256.
Add-ADFSRelyingPartyTrust -Name ‘T6.5’ -MetadataFile ‘C:\Users\windows\Desktop\sp.xml’ -SignatureAlgorithm ‘http://www.w3.org/2000/09/xmldsig#rsa-sha1’
Can you pls let me know how should I make the secure-hash algorithm to SHA-1 thru cmdlets only?
Appreciate your help.
Thanks
SGK
Hi SGK,
You can use the Set-ADFSRelyingPartTrust command afterwards to set the signature algorithm to SHA#1. You’ll see with the UI that the same quirk exists when creating an RP and you need to set it afterwards.. not sure why.. one of the wonders of the world 🙂
Regards,
Mylo
It worked.. Thanks Mylo!!
Have another question.
I am configuring ADFS as IdP with OIF (Oracle Identity Federation) as RP.
OIF-RP is configured with SSL with self-signed cert and RP side self-signed cert is loaded to “Trusted Root Certification Authorities” under “Computer account” (MMC->Add or remove Snap-ins->Add Certificates->Computer account)
Tried running ‘Add-ADFSRelyingPartyTrust’ cmdlet with metadata URL like this:
Add-ADFSRelyingPartyTrust -Name ‘OIF’ -MetadataURL ‘https://rphost:7002/fed/sp/metadata’
I am getting following error:
Add-ADFSRelyingPartyTrust : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
At line:1 char:26
+ Add-ADFSRelyingPartyTrust <<<< -Name 'OIF' -MetadataURL 'https://rphost:7002/fed/sp/metadata'; + CategoryInfo : InvalidData: (:) [Add-ADFSRelyingPartyTrust], WebException + FullyQualifiedErrorId : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.,Microsoft.IdentityServer.PowerShell.Commands.AddRelyingPartyTrustCommand
When I tried with "-MetadataFile c:\rpMetadata.xml" it worked. Also when I tried accessing in browser with OIF metadata URL:'https://rphost:7002/fed/sp/metadata', I am able to get the metadata successfully.
Kindly let me know how should I do to avoid this issue.
Appreciate your help!!
Thanks
SGK
Dear Mylo,
Having another issue.
I am configuring ADFS as IdP with OIF (Oracle Identity Federation) as RP.
OIF-RP is configured with SSL with self-signed cert.
I tried the establishing RP-trust with OIF using ADFS mgmt console using metadata URL and getting issue.
Followed below steps for this task:
1. Downloaded RP-host cert – “https://rphost:7002” thru browser from ADFS box (got cert error)
2. Then installed that cert in ‘Local Computer’ of ‘Trusted Root Certificate Authorities’.
3. Closed all browser and then accessed “https://rphost:7002″, but still got same cert error. 😦 don’t know why its not getting effect.
4. Tried establishing RP-trust using”https://rphost:7002/fed/sp/metadata” in ADFS mgmt console, but resulted in below error.
An error occurred during an attempt to read the federation metadata. Verify that the specified URL or host name is a valid federation metadata endpoint.
Verify your proxy server setting…
Error Message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Both ADFS and OIF boxes are in same network and they can access with no proxy settings.
When I tried with Metadata File load, it worked. Also when I tried accessing in browser with OIF metadata URL:’https://rphost:7002/fed/sp/metadata’, I am able to get the metadata successfully with SSL cert error at first.
Let me know how should I solve this issue.
Thanks
SGK
SGK,
The certificate name (common name) needs to match the name you described in the federation trust. If you’re getting an SSL error when accessing the cert thru a browser then it means that the browser is not trusting the certificate in question, either because there’s a name mismatch or it’s not installed correctly in the Trusted Root Authority store. Until you’ve resolve the error in the browser, the underlying connection between ADFS and OIF-RP will also fail because the certificate is not trusted.
Regards,
Mylo
Hi Mylo,
Thank you very much for your help!!
The problem lies in the CN and issuer name mismatch. I rectified this issue after getting your help. Deeply appreciate you on helping me. Many thanks!!
God bless you!!
Thanks
SGK
Hi Mylo,
Is it possible to run powershell script using “ssh” or any protocol from remote-host (Linux)?
Followed these steps:
1.Have ‘freeSHd’ installed which runs ssh/ telnet services.
2.Able to connect Windows 2008R2 host thru SSH.
3.Able to run (powershell.exe) and entered into powershell environment.
4.Set the Execution Policy to ‘Restricted’ (Set-ExecutionPolicy Unrestricted) before running the powershell script.
5.Ran the script & “C:\Scripts\setUp.ps1”
6.Received following error:
The term ‘Add-ADFSRelyingPartyTrust’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. t C:\Scripts\setUp.ps1:1 char:26
+ Add-ADFSRelyingPartyTrust <<<< -Name 'RP' -MetadataURL 'https://rphost:443/fed/sp/metadata'; + CategoryInfo : ObjectNotFound: (Add-ADFSRelyingPartyTrust:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException
Also tried running like this and resulted in same error:
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe -ExecutionPolicy ByPass -command ". 'C:\Scripts\setUp.ps1'"
Please let me know how to solve this issue.
Thanks
SGK
You need to add the ADFS Powershell module to your script
Add-PSSnapin Microsoft.Adfs.PowerShell
Regards,
Mylo