This post contains the steps required to configure AD FS 3.0 as a federated authenticator in WSO2 Identity server using SAML.
Note: This is will be supported out-of-the-box with Identity Server 5.1.0 M3 onwards. If you are to use this with Identity Server 5.0.0 (with SP 1) you’ll need to some modifications to the source. The details can be found at  & .
- WSO2 Identity Server 5.1.0 M3 or above
Identity Server Service Pack 2 (yet to be released)
- ADFS 3.0
Adding IS as a Relying Party in ADFS
In ADFS Management UI expand Trust Relationship, right click on Relying Party Trust and select Add Relying Party Trust…
Follow the wizard as shown below
Type a desired display name for the relying party and click Next.
Select AD FS Profile and Click Next.
We are not using an encryption certificate so click Next.
Set the relying party SAML 2.0 SSO service url to the commonauth endpoint of IS. e.g:
Add the relying party trust identifier and click Next. The value you enter here should be entered in IS IdP settings as well. Setting up the IdP is explained in the next section.
We won’t be configuring multi-factor authentication so click Next.
Select Permit all users to access this relying party and click Next.
Review the settings and click Next.
Click Close to finish adding the relying party trust. Also let the wizard to open the Claim Rules dialog
In the Edit Claim Rule dialog we will specify which claims to be sent to the relying party. In this example I’m sending the SAM-Account-Name LDAP attribute as a NameID claim.
First click Add Rule…
Select Send LDAP Attributes as a claim and click Next.
Set a Claim rule name and map SAM-Account-Name to E-Mail Address. Then click Finish.
Click Add Rule… again to transform the email address claim to NameID claim. Select Transform an Incoming Claim and click Next.
Set the Claim rule name. Select the incoming claim type as E-Mail Address and outgoing claim type and ID format as Name ID and Unspecified respectively. Then click Finish.
Then apply and close the claim rules dialog.
Before we wrap up things in AD FS side, there are few configuration changes needed to be done in Relying Party Trust properties. For that right click on the Relying Party Trust we just created and select Properties.
Goto Signature tab and click Add.
The certificate which should be added here depends on a couple of things. If the Service Provider in IS is under the super tenant domain. The public certificate of IS should be used. Else, the public certificate of the tenant domain should be selected. The public certificate of the tenant can be exported from the Key Management feature of the IS management console. In this post, the service provider is added in the super tenant domain and the default keystore has not been change. Therefore the default wso2carbon certificate is used. You can export the certificate from wso2carbon.jks which is located at /repository/resources/security/ directory.
When importing the default certificate you will get the following dialog. Click Yes to proceed.
Next move to Endpoint tab. Here we have to set the SAML logout endpoint. Click Add SAML…
Select Endpoint Type as SAML Logout and the Binding as POST. Set the Trusted URL as https://<AD_FS_server>/adfs/ls and the Response URL as the /commonauth endpoint of IS. Once it is done save the property settings of the RP.
Next we will move on to configuring AD FS as an Identity Provider in IS. For the configurations we will have to add the Token signing certificate of AD FS. To export the token signing certificate of IS do as follows.
In AD FS management UI, click on Certificates under Service, right click on Token-signing certificate and select View Certificate.
Goto Details tab and click Copy to File… Then follow the Certificate Export Wizard.
Select Base-64 encoded X.509 (.cer) and click Next.
Save the certificate to a desired location and Finish the wizard.
We will move on to configuring IS next.
Adding AD FS as a Federated Authenticator in IS
Login to IS Management console and click Add under Identity Providers. Type a unique name for the IdP and add the Token-signing certificate of ADFS by clicking the Browse button.
Next set the SAML Web SSO Configuration under Federated Authenticators.
- Check Enable SAML2 Web SSO
- Identity Provider Entity Id: This can be found in FederationMetadata.xml under entityID attribute. The FederationMetadata.xml can be accessed through https://<AD_FS_server>/FederationMetadata/2007-06/FederationMetadata.xml. The Entity ID is usually in the form
- Service Provider Entity Id should be same as what’s given in AD FS RP trust identifier. eg:wso2-is
- SSO URL should be in the form of http://<AD_FS_server>/adfs/ls
- Check Enable Logout
- Logout URL should be the same as SSO URL
- Check Enable Logout Request Signing
- Select HTTP Binding as POST
Once the details are entered click Register to save the IdP.