I know this isn’t really the right forum, but I’m hoping to find an answer. We built our SAML implementation (service provider) to expect the response to be signed. We’re working on getting a client who uses ADFS set up. The integration guide says “It’s recommended that SAML messages or assertions from the identity provider are signed.”, but I can’t find any documentation that says how to sign the response. I know this is an ADFS question, but if someone knows the answer I would greatly appreciate it.
You can do this through the -SamlResponseSignature MessageOnly setting of the Set-AdfsRelyingPartyTrust PowerShell cmdlet.
https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsrelyingpartytrust?view=windowsserver2019-ps
However, my recommendation is to expect either the SAML response or SAML assertion to be signed by the identity provider. This is how we default in later versions of the product. It means you don’t have to require additional configuration in the case of ADFS.
[quote][/quote]
You can do this through the -SamlResponseSignature MessageOnly setting of the Set-AdfsRelyingPartyTrust PowerShell cmdlet.
https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsrelyingpartytrust?view=windowsserver2019-ps
However, my recommendation is to expect either the SAML response or SAML assertion to be signed by the identity provider. This is how we default in later versions of the product. It means you don't have to require additional configuration in the case of ADFS.
https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsrelyingpartytrust?view=windowsserver2019-ps
However, my recommendation is to expect either the SAML response or SAML assertion to be signed by the identity provider. This is how we default in later versions of the product. It means you don't have to require additional configuration in the case of ADFS.
Thank you. That change is on my backlog, it's just not going to make it in time for this client.
Fair enough.