Connect Microsoft AD FS with SAML 2.0 authentication method

FoxIDs can be connected to AD FS with a SAML 2.0 authentication method. Where AD FS is a SAML 2.0 Identity Provider (IdP) and FoxIDs is acting as an SAML 2.0 Relying Party (RP).

Configuring AD FS as Identity Provider (IdP)

1 - Start by creating an SAML 2.0 authentication method in FoxIDs Control Client

The SAML 2.0 authentication method can either be configured by using the AD FS metadata https://...adfs-domain.../federationmetadata/2007-06/federationmetadata.xml or by manually adding the SAML 2.0 details.

Recommended SAML 2.0 bindings:

  • Authn request and response binding: Post
  • Logout request and response binding: Post

Remark; The authn request redirect binding can result in a long query string which can cause problems I some devices. Therefore post binding is preferable.

Take a look at the AD FS sample configuration in FoxIDs Control:
Get read access with the user [email protected] and password TestAccess! then select the Production environment and the Authentication methods tab.

The following screen shot show the basic FoxIDs SAML 2.0 authentication method configuration using AD FS metadata in FoxIDs Control Client.

The AD FS metadata endpoint need to be accessible online to do the SAML 2.0 configuration with AD FS metadata. If not, you need to do the configuration manually.

Configure SAML 2.0 AD FS authentication method

More configuration options become available by clicking Show advanced settings.

2 - Then go to the AD FS and create the Relying Party (RP)

In this part of the configuration you need to use the SAML 2.0 authentication method metadata. It is possible to call a fictive SAML 2.0 authentication method metadata in FoxIDs and thereby if preferred performing step 2 as the first step.

FoxIDs SAML 2.0 authentication method metadata
for tenant-x and environment-y with the authentication method name adfs-saml-idp1.

Configure the Relying Party (RP) on AD FS using the SAML 2.0 authentication method metadata.

Alternatively, the Relying Party (RP) can be configured manually on the AD FS with the following properties:

  • The public FoxIDs environment ('tenant-x' and 'environment-y') certificate
  • Hash algorithm, default SHA-256
  • The FoxIDs environment identifier or another identifier if configured
  • Assertion consumer service endpoint
  • Single logout (logout) service endpoint

3 - Then go to the AD FS Relying Party (RP) issuances claims configuration

It is recommended to add the NameID claim (in AD FS called the NameIdentifier) to enable the SessionIndex.

Without the NamID claim AD FS do not add the SessionIndex to the SAML token and it will therefore not be possible to do logout or single logout.

FoxIDs require AD FS to issue the users identity in either the NameID or at least one of the following claims:

  • NameID
  • UPN
  • Email
  • Name

Other claims is optional and can be received and transformed in FoxIDs.