locked
ADFS (not v2) and FederationMetadata.XML RRS feed

  • Question

  • Guys,

    I installed a ADFS role on 2k8 (not R2) and then I configured relying party, but when I try to add STS ref from my Web App to this ADFS instance, I dont get FederationMetadata.XML, I could get this by installing Geneva server (v2) but not with plain default ADFS role, is there anything I could have forgotten to configure ?

    and, about self signed certificate usage, let's say, if my web app is using self signed certificate and my geneva server and web app server computer are not in same domain, will this certificate be rejected by Geneva server ? I am getting invalid certificate kind of error in stack trace from Geneva server's error.aspx page.

    Also,  Is it absolutly necessory to have certificate named as same as the web app ?  and is it absolutly required to have the web application running on same url that I configured in relying party ? if yes, how can I handle my ASP.NEt dev server changes to port ?

    please suggest.

    thanks,
    Ram
    Krishnaa
    Friday, December 4, 2009 9:20 AM

All replies

  • In my opinion only ADFS v2 generates an FederationMetadata.xml. Whenever I read something about FederationMetadata.xml file, then only in conjunction with ADFS v2.
    Friday, December 4, 2009 9:55 AM
  • Ohhh... I did not know that.

    So, how do I use ADFS role to authenticate users from my web app ? I mean if there is nothing about adding STS ref. then do I have to edit the whole config manually ?

    How does the ADFS role and Web App get to trust each other  ?
    Friday, December 4, 2009 9:59 AM
  • So How can I use plain old ADFS role from my web App to play the IP role ??? How my app can be connected to it ?
    Wednesday, December 9, 2009 2:22 PM
  • The federation metadata conforms to the WS-Federation specification and was added to WIF/ADFSv2 to simplify exactly this problem. ADFSv1 does not support it, but the WS-Trust protocols involved haven't changed, just the tools for configuring them. It's typically just a matter of sharing certificates and audience URIs.

    I would suggest you set up a relationship between your WIF RP and ADFSv2, then examine the metadata provided by each. You can do a difference to examine the web.config changes FedUtil makes on the RP. On ADFSv1 you'll have to look at the data provided by the RP metadata and set the STS up manually to conform.
    Saturday, December 12, 2009 7:07 PM
    Moderator
  • Thanks Peter,

    So, in old times, how an ASP.NET programmer could use the ADFS server ? My question is, what was the standard way to make my ASP.NET app known to ADFS and vice versa ? with ADFS 2 my STS wizard take care of a lot of things, how was it with ADFS 1 ?
    Monday, December 14, 2009 6:45 AM