how to export sample SAML assertion from adfs

SAML for ASP.NET
1

Hi,

I wonder if someone can help me here please. I have been given a task to configure a single sign on for training membership website. So far all I have been given is a URL i.e. https:abc.training.com.

I have been asked to provide 1) x.509 cert 2) export SAML assertion with attributes.

We already have ADFS configured. am I right in understanding that my steps to complete this task would be:

1) Open the AD FS 2.0 Management Console and select Add Relying Party Trust to start the Add Relying Party Trust Wizard.

2) Select Enter date about the relying party manually and click Next.

3) Specify a display name of your choice and click Next..

4) Select AD FS 2.0 profile and click Next.

5) click Next on the Configure Certificate Page.

6) Select Enable support for the SAML 2.0 WebSSO protocol and configure the URL to the SAML URL as Relying party SAML 2.0 SSO service URL.. ( this would be what I been given: https:abc.trainin.com servlet/samlsso

7) Enter the same URL as Relying party trust identifier and click Add to add it to the list. Click Next.

8) Select Permit all users to access the relying party and click Next.

9) click Next on the next page, tick Open the Edit Claim Rules dialog and click Close.

10) The Edit Claim Rules Window opens. I the first tab, click Add Rule.

11) Select Send LDAP Attributes as Claims and click Next.

12) Enter a name of your choice for the rule. Select Active Directory as Attribute store.

13) save settings and Export the ADFS token signing certificate. and export as x.509?

Is above correct in thinking? Also how can I export SAMl assertion attributes ( what are they, how to find and export them?

Please could someone confirm and help me complete this.

Many Thanks

Dan

2

Hi Dan
The steps you’ve listed are correct.
I also suggest taking a look at section 10.4 of our Developer Guide which lists the same steps and includes screenshots.
https://www.componentspace.com/Forums/8231/Developer-Guide
The other option is to generate SAML metadata for your SP. You can then import the metadata into ADFS rather than manually entering the configuration information. SAML metadata may be generated using the ExportMetadata project under Examples\Metadata. However, either approach is fine.
I’m not sure what you mean by exporting SAML assertion attributes.
You can retrieve the SAML metadata for ADFS which will list all available SAML attributes.
ADFS SAML metadata is available at:
https:///FederationMetadata/2007-06/FederationMetadata.xml

3
[quote]
ComponentSpace - 2/8/2018
Hi Dan
The steps you've listed are correct.
I also suggest taking a look at section 10.4 of our Developer Guide which lists the same steps and includes screenshots.
https://www.componentspace.com/Forums/8231/Developer-Guide
The other option is to generate SAML metadata for your SP. You can then import the metadata into ADFS rather than manually entering the configuration information. SAML metadata may be generated using the ExportMetadata project under Examples\Metadata. However, either approach is fine.
I'm not sure what you mean by exporting SAML assertion attributes.
You can retrieve the SAML metadata for ADFS which will list all available SAML attributes.
ADFS SAML metadata is available at:
https:///FederationMetadata/2007-06/FederationMetadata.xml
[/quote]

Many Thanks for the response.
I had a chat with the client and have more understanding of the request now. They already have an ADFS server configured along with O365 and certs. Another company who my client work with have developed a training website. my client now wanted to create a trust relation with that website via ADFS so training website dont have to create logins.
I am confused at the below points:
1) am I ok to use the same certs we have on adfs server for O365?
2) I have been given this URL: https:abc.trainin.com but in the configs I use ths url for point 6 and 7 above: https://abc.training.com/example ( is it correct).
3) once the relay is configured, do I need to click on edit and navigate to endpoint and need to add any response URL?
Apologies, for the long thread. Hoping someone can guide me to configure this correctly please?
Thanks
Dan
4

Hi Dan
1. The certificate ADFS uses to sign SAML responses etc may be used by multiple relying parties. However, if the relying party is signing authn requests or wishes the SAML assertion to be encrypted typically it will have its own certificate distinct from other relying parties.
2. The relying party trust identifier is simply a unique name for your relying party (service provider). Typically it’s in the form of a URL but it doesn’t necessarily have to point to anything. The only thing you need to ensure is that the relying party trust identifier in ADFS matches exactly with the Name in your service provider’s saml.config.
3. Do you mean SAML relay state or are you still referring to the relying party configuration? I’m not sure exactly what you’re asking. The assertion consumer service URL, which is configured under the Endpoints tab of the relying party properties, must match with the endpoint where you call SAMLServiceProvider.ReceiveSSO.

5
[quote]
ComponentSpace - 2/9/2018
Hi Dan
1. The certificate ADFS uses to sign SAML responses etc may be used by multiple relying parties. However, if the relying party is signing authn requests or wishes the SAML assertion to be encrypted typically it will have its own certificate distinct from other relying parties.
2. The relying party trust identifier is simply a unique name for your relying party (service provider). Typically it's in the form of a URL but it doesn't necessarily have to point to anything. The only thing you need to ensure is that the relying party trust identifier in ADFS matches exactly with the Name in your service provider's saml.config.
3. Do you mean SAML relay state or are you still referring to the relying party configuration? I'm not sure exactly what you're asking. The assertion consumer service URL, which is configured under the Endpoints tab of the relying party properties, must match with the endpoint where you call SAMLServiceProvider.ReceiveSSO.
[/quote]

Many Thanks for the response, it is really helpful and started to make more sense too. Apologies for the late response as I was off from work for few days.

I am waiting to hear back some more feedback from the customer. and will post more questions here. Many thanks again and its really a great service/support you are providing to the community.

Really appreciated.
Dan

For example,
6

Thanks Dan. You’re most welcome.
Of course, if you have any more questions, please feel free to let us know. We’re happy to assist.

7
[quote]
ComponentSpace - 2/14/2018
Thanks Dan. You're most welcome.
Of course, if you have any more questions, please feel free to let us know. We're happy to assist.
[/quote]

Hi, hope all had a nice weekend.

I am back with the same issue. I have captured the configs I did, could you please have a look and see if I am missing anything. Also they are asking sample asertion coming out from adfs server. I am not sure how to export those.

I have tried: https:///FederationMetadata/2007-06/FederationMetadata.xml { page cannot be displayed}

also tried: https://thirdpartydomain.com/adfs/ls/tes [HTTP Error 404.0not found]

Got stuck really, could somone please help?
Many Thanks
Dan

8

Hi Dan
I just want to double check what you’re trying to do.
You wish to configure a relying party in ADFS for the training web site.
Is that correct?
Does this involve our SAML product?
Do you have SAML metadata for the training web site?
If so, it would be easier to create the relying party from their metadata rather than manually.
If not, the steps you listed above and which are described in section 10.4 of our Developer Guide are correct.
It’s hard to confirm if the information you’ve used to create the relying party is correct.
One thing I see in #3 is the relying party SSO service URL is for an ADFS server.
Is the relying party using ADFS for their training web site?
If they are then I suggest you ask them to supply you with their SAML metadata.
You should also supply them with your SAML metadata from ADFS.
This is available at:
https:///FederationMetadata/2007-06/FederationMetadata.xml
Obviously replace with the server name or IP address of your ADFS server.
The SAML metadata includes all the available SAML attributes if that’s what the relying party is interested in.

9
[quote]
ComponentSpace - 2/19/2018
Hi Dan
I just want to double check what you're trying to do.
You wish to configure a relying party in ADFS for the training web site.
Is that correct?
Does this involve our SAML product?
Do you have SAML metadata for the training web site?
If so, it would be easier to create the relying party from their metadata rather than manually.
If not, the steps you listed above and which are described in section 10.4 of our Developer Guide are correct.
It's hard to confirm if the information you've used to create the relying party is correct.
One thing I see in #3 is the relying party SSO service URL is for an ADFS server.
Is the relying party using ADFS for their training web site?
If they are then I suggest you ask them to supply you with their SAML metadata.
You should also supply them with your SAML metadata from ADFS.
This is available at:
https:///FederationMetadata/2007-06/FederationMetadata.xml
Obviously replace with the server name or IP address of your ADFS server.
The SAML metadata includes all the available SAML attributes if that's what the relying party is interested in.

[/quote]

Hi,
Yes I am trying to configure SSO for a training website, i.e. their URL is https:\\abc.com ( this is also you see in step 3. The configuration would be with our ADFS box using SAML assertion.
No, we not using your SAML product.
I dont have their SAML meta data.
I will check if the relying party use ADFS too or no.

The data here https://localhost/FederationMetadata/2007-06/FederationMetadata.xml dont look right. They are asking me sample assertion and I am not sure how to capture and give it to them.
I will get their metadata as suggested above.
Any idea how can I export my assertion i.e. given name and email address in a correct format?

Many Thanks again.

Dan


10

Hi Dan
The FederationMetadata.xml is a SAML metadata document. This includes the SAML configuration information required by a partner provider to support SSO. This is different from a SAML assertion.
I’m not sure there’s a way to export a SAML assertion. Our product includes logging which includes the SAML assertion.
You could use Fiddler or browser dev tools to capture the HTTP Post containing the SAML response and decode this to expose the SAML assertion XML. Alternatively, use something like the Firefox SAML tracer to decode the SAML assertion.