single sign-on with fairsail and microsoft active ... sign-on with... ·...
TRANSCRIPT
FS-SSO-XXX-IG-201406--R001.92
Fairsail Implementer
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0
Version 1.92
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 2
© Fairsail 2014. All rights reserved.
This document contains information proprietary to Fairsail and may not be reproduced, disclosed, or used in whole or in part without the written permission of Fairsail.
Software, including but not limited to the code, user interface, structure, sequence, and organization, and documentation are protected by national copyright laws and international treaty provisions. This document is subject to U.S. and other national export regulations.
Fairsail takes care to ensure that the information in this document is accurate, but Fairsail does not guarantee the accuracy of the information or that use of the information will ensure correct and faultless operation of the service to which it relates. Fairsail, its agents and employees, shall not be held liable to or through any user for any loss or damage whatsoever resulting from reliance on the information contained in this document.
Nothing in this document alters the legal obligations, responsibilities or relationship between you and Fairsail as set out in the contract existing between us.
This document may contain screenshots captured from a standard Fairsail system populated with fictional characters and using licensed personal images. Any resemblance to real people is coincidental and unintended.
All trademarks and service marks mentioned in this document belong to their corresponding owners.
FS-SSO-XXX-IG-201406--R001.92
Contents
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 3
Contents
Background 4
Prerequisites 5
Overview 6
Procedure 7
Installation 8
Configuration 9 Fairsail Configuration 9 AD FS 2.0 Configuration 15
SP-Initiated Login 17
Testing 18
Logging in to Fairsail Using Single Sign-On 19
Setting Up Chrome for Single Sign-On 20
Setting Up Firefox for Single Sign-On 25
Setting Up Internet Explorer for Single Sign-On 27
References and more information 31
Troubleshooting 32
Internet Information Services 33
Active Directory Federation Services 34
Service Provider Initiated Login 36
Appendix: Browser handling of SAML requests 37
Step 1 38
Step 2 40
Step 3 43
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 4
Background Authentication for multiple cloud based services is greatly simplified by using single sign-on (SSO) technologies. SSO enables users to log in at a single location and access a range of services without re-authenticating.
Since its release in 2005, the Security Assertion Markup Language (SAML) version 2.0 has established itself as the dominant standard for cross-domain web single sign-on in the enterprise space, with salesforce.com introducing support in the Winter '09 release (October 2008) and Microsoft in Active Directory Federation Services (AD FS) version 2.0 in May 2010.
You can now configure a seamless single sign-on from a Microsoft environment to Fairsail without a third-party federation product.
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 5
Prerequisites You will need:
• Microsoft Windows Server 2008 R2 Enterprise or Datacenter edition, NOT Standard edition. If you are configuring this environment for an evaluation, you can download a 180 day trial version here: http://www.microsoft.com/en-us/download/details.aspx?id=11093.
• Microsoft Active Directory Federation Services (AD FS) 2.0. Windows Server 2008 R2 includes AD FS 1.0, which does not support SAML 2.0. If you have AD FS 1.0, download and install the AD FS 2.0 RTW (release to web) package. AD FS is a Microsoft Management Console (MMC) snap-in.
• Microsoft Update Rollup 3 for AD FS 2.0, available to download from Microsoft here:
http://support.microsoft.com/kb/2790338
Update Rollup 3 includes fixes for known issues and enables multiple SSO instances to use the same token signing certificate.
After installing the rollup make sure you download and execute the RelaxedRequestSigningCertsv2.sql script as documented in the Knowledge Base article.
• A Fairsail environment, commonly known as an org. For the purposes of evaluation you can sign up for a free Fairsail HCM or Fairsail Recruit trial here: http://support.fairsail.com/hcmtrial2.html
The procedures described in this guide are effective but take time to complete, test and validate. You must allow enough time before attempting to use Fairsail with single sign-on in a full production environment. We strongly recommend scheduling the project to complete the process as far as successful login at least four weeks before go-live. This allows enough time:
• To resolve support issues.
• For adequate testing.
• To synchronize data with Fairsail.
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 6
Overview SAML 2.0 defines several roles for parties involved in single sign-on:
The user authenticates (logs in) to the identity provider (IdP) - in our case, this is AD FS 2.0. The user can then access a resource at one or more service providers (SP, and also known as relying parties) without needing to log in at each service provider.
The process for an IdP-initiated login into Fairsail is simplified as:
1. The user authenticates to the AD FS server using Integrated Windows Authentication (Kerberos tokens
over HTTP) and requests login to Fairsail
2. AD FS returns a SAML assertion to the user’s browser
3. The browser automatically submits the assertion to Fairsail, which logs the user in.
For SP-initiated login, go to SP-Initiated Login (see page 17).
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 7
Procedure
This icon is used to indicate points in the procedure where additional information is available in Troubleshooting (see page 32), starting on page . Each icon is hyperlinked; use it to jump to the relevant point in Troubleshooting (see page 32).
Procedure Installation
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 8
Installation
1. Install Windows Server 2008 R2 Enterprise or Datacenter edition, NOT Standard edition.
If you are re-installing Windows Server R2, make sure that the environment is clean. Traces of previous AD FS installations, such as an existing adfs directory or configuration database will stop successful re-installation.
If you are running an Active Directory forest with domain controllers running on earlier functional levels, to ensure compatibility leave the Windows Server 2008-based domain controller at its default level. The 2008 domain controller then runs at the lowest functional level that is possible in your environment. After the domain functional level is raised, domain controllers running earlier operating systems cannot operate in the domain.
2. Create a friendly DNS name for AD FS and point it to your adfs server. In this article, we'll use adfs.fairsaildev.com.
Typically, this is the CNAME for your adfs server. If you want to use a different name, attach another IP address to the server and create a DNS A record to map the hostname to this IP address to avoid server authentication errors.
3. Download and install the AD FS 2.0 server role. This automatically installs other pre-requisite Windows components including IIS.
4. In the IIS manager create an SSL certificate for your friendly DNS name. Give the certificate a bit length of 2048. Do not create the certificate as self-signed.
5. On the client machine, install:
o The SSL certificate
o The Certificate Authority’s root certificate
6. Run through the AD FS Server configuration wizard:
a. Create a new Federation Service
b. Select Stand-alone Federation Server
c. Select the certificate that you created for your friendly DNS name
7. Add the friendly DNS name for the AD FS server to the client machine as a local intranet website through Control Panel > Internet Options > Security. Use the form https://adfs.fairsaildev.com.
Procedure Configuration
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 9
Configuration To build a federation between two parties you must establish a trust relationship by exchanging metadata. Manually enter the metadata for the AD FS 2.0 instance into the Fairsail configuration. Fairsail metadata is downloaded as an XML file which AD FS 2.0 can consume.
Fairsail Configuration
You must configure:
• The domain (see page 9).
• SAML 2.0 setup (see page 10).
You can also configure your login page to select an authentication service as an identity provider (see page 14).
Configure My Domain
The Fairsail My Domain (https://login.salesforce.com/help/doc/en/domain_name_overview.htm) feature enables you to select a custom domain name for your application. A My Domain URL looks like https://customer.my.salesforce.com/ for a production org, or https://customer-developer-edition.my.salesforce.com/ for a Developer Edition. You cannot configure My Domain for a Fairsail trial org; to test, you must use a live production org or a Force.com development org.
A benefit of configuring My Domain is that it enables support for SP-initiated single sign-on, improving the user experience, and allowing users to access 'deep links' into their environment via SSO.
Configure My Domain in Setup > Company Profile > My Domain. You will need to complete the process of configuring, testing and deploying My Domain (https://login.salesforce.com/help/doc/en/domain_name_setup.htm) for SP-initiated SSO to work correctly.
Procedure Configuration
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 10
Configure SAML 2.0
1. In the AD FS 2.0 MMC snap-in, select the certificates node and double click the token-signing certificate to view it:
2. Click the Details tab
3. Click Copy to File
4. Save the certificate in DER format.
5. On the AD FS server find and record your Federation Metadata URL:
a. Open the AD FS MMC
b. Select Service > Endpoints > Metadata > Type:Federation Metadata:
6. Open the Federation Metadata file: In a browser address bar enter <Server URL><Federation Metadata URL>
Procedure Configuration
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 11
7. In the Federation Metadata file find the EntityDescriptor ID line and record the attribute labeled entityID:
.
8. In Fairsail, go to Setup > Administration Setup > Security Controls > Single Sign-On Settings
9. Click Edit
Fairsail displays the Single Sign-On Settings page.
10. Check SAML Enabled:
11. Click Save.
Fairsail displays the Single Sign-On Settings page with the SAML Single Sign-On Settings related list.
12. Click New:
Procedure Configuration
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 12
Fairsail displays the SAML Single Sign-On Setting Edit page:
13. Complete the fields as follows:
Name A name for this service. For example Fairsail SSO
API Name Automatically created by Fairsail based on Name.
SAML Version 2.0. Not editable.
User Provisioning Enabled Not checked.
Issuer Enter the attribute labeled entityID displayed in your Federation Metadata. Issuer is case sensitive.
Entity ID EntityID forms the first part of the URL of your Fairsail org, up to and including the …cloudforce.com. After configuring MyDomain, login to Fairsail and capture your EntityID from the address bar. Confusingly, this is not the attribute labeled entityID displayed in your Federation Metadata.
Procedure Configuration
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 13
Identity Provider Certificate
Browse and select the token-signing certificate you exported earlier
Signing Certificate Default Certificate.
Assertion Decryption Certificate
Assertion not encrypted.
SAML Identity Type Assertion contains the Federation ID from the User object.
SAML Identity Location Identity is in the NameIdentifier element of the Subject statement
Identity Provider Login URL
The URL of your AD FS SAML endpoint, to which Fairsail sends SAML requests for SP-initiated login. You can find the URL in the AD FS MMC at Endpoints > Token Issuance > Type:SAML 2.0/WS-Federation. In the example: https://adfs.fairsaildev.com/adfs/ls/ Note that the Identity Provider Login URL field is case sensitive.
Identity Provider Logout URL
Enter a URL to which the user will be sent after they log out. For example: http://intranet.mycompany.com/
Custom Error URL Leave blank.
14. Click Save to save the settings and download the metadata xml file.
Procedure Configuration
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 14
Configure Login Page
When you have configured My Domain and SAML 2.0 you can configure your login page to select an authentication service as an identity provider.
1. Go to Setup > Domain Management > My Domain.
2. Under Login Page Branding, click Edit
Fairsail displays the Login Page Branding page. This page lists the authentication services available to you for selection:
3. Under Authentication Service select the name of the service you have just configured.
4. Make any other changes you want to the branding.
5. Click Save.
Procedure Configuration
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 15
AD FS 2.0 Configuration
1. Open the AD FS 2.0 MMC snap in and Add a Trusted Relying Party:
a. Select Data Source: Import data about a relying party from a file. Browse to the XML you downloaded from Fairsail
b. Display Name: Give the trust a display name, for example Fairsail Test
c. Select Issuance Authorization Rules: Permit all users to access this relying party
d. Click Next to accept the defaults
e. Open Edit Claim Rules Dialog: Checked
2. In the claim rules editor click the Issuance Transform Rules tab
3. Add a new rule:
Claim Rule Template Send LDAP Attributes as Claims.
Procedure Configuration
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 16
Claim Rule Name For testing use the User Principal Name (UPN) as NameID. Enter: Send UPN as NameID. In production, use an attribute with a value that is unlikely to change over time such as the user’s email address or employee ID. Any change in the value will break SSO for that user. For testing use the User Principal Name (UPN) as NameID. Enter: Send UPN as NameID. In production, use an attribute with a value that is unlikely to change over time such as the user’s email address or employee ID. Any change in the value will break SSO for that user. If you change Claim Rule Name here you must pass through the new value by specifying it in the AD FS MMC at: Trust Relationships > Claims Provider Trusts > Acceptance Transform Rules
LDAP Attribute User Principal Name
Outgoing Claim Type Name ID
4. Click Finish.
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 17
SP-Initiated Login IdP-initiated login typically works by setting up a link on the company intranet that users click to get access to Fairsail. SP-initiated login happens when a user clicks a direct link to Fairsail.
If you configured a My Domain entity ID in the Force.com SAML settings, for example, https://testinfo-developer-edition.my.salesforce.com, users can go to URLs in that domain and be automatically redirected to AD FS for authentication.
For SP-initiated login to work, you must set AD FS Secure Hash Algorithm parameter to SHA-1, because Fairsail uses the SHA-1 algorithm when signing SAML requests, and AD FS defaults to SHA-256:
• Go to AD FS trust properties for the Fairsail relying party under Advanced:
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 18
Testing To test your configuration, set the Federation ID of a Fairsail user to the UPN of your own AD account and attempt to login:
• For SP-initiated login, assuming you configured a 'My Domain' entity ID (see page 9), you can just go
straight to it, for example https://testinfo-developer-edition.my.fairsail.com.
• For IdP-initiated login, you must use the AD FS login URL and specify the loginToRp parameter as the Fairsail SAML entity ID, for example: https://adfs.fairsaildev.com/adfs/ls/idpinitiatedsignon.aspx?loginToRp=https://saml.fairsail.com
In either case, the browser should follow a chain of redirects, ultimately logging you in to Fairsail.
• If you get a Fairsail login error use the SAML assertion validator tool on the Fairsail single sign-on configuration page. It displays the results of the last failed SAML login.
• If you get an error from AD FS, check the AD FS logs in Server Manager\Diagnostics\Applications and Services Logs\AD FS 2.0\Admin.
If you configured a My Domain entity ID, SP-initiated login will work for deep-links. Bookmark a link from deep inside Fairsail then log out. Reload your browser and select the bookmark. You should be seamlessly redirected to your IdP, authenticated, and then redirected back to the bookmarked link.
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 19
Logging in to Fairsail Using Single Sign-On When Fairsail has been implemented using single sign-on technology, use the web address for your Fairsail site and your company provided single sign-on credentials to get access to the Fairsail system.
Add the Fairsail start page to your browser Favorites or Bookmarks to get there quickly and easily.
To avoid having to log in separately to Fairsail every time, you can set up your browser to take full advantage of single sign-on. Instructions differ depending on the browser you are using.
Logging in to Fairsail Using Single Sign-On Setting Up Chrome for Single Sign-On
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 20
Setting Up Chrome for Single Sign-On 1. Open Google Chrome.
2. Click Customize… and select Settings from the drop down:
Chrome displays the Settings tab.
3. At the bottom of the window, click Show advanced settings… :
4. In the Network section, click Change proxy settings…
Chrome displays the Internet Properties dialog.
Logging in to Fairsail Using Single Sign-On Setting Up Chrome for Single Sign-On
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 21
5. Click the Security tab and click Local intranet:
6. Click Sites:
Chrome displays the Local intranet dialog:
Logging in to Fairsail Using Single Sign-On Setting Up Chrome for Single Sign-On
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 22
7. Click Advanced.
Chrome displays the Local intranet Advanced dialog.
8. Enter the server url in the Add… field using the form https://Win2k8Dev.FairsailDev.com and click Add:
Chrome adds the sites to the list of Websites in the dialog:
9. Click Close to close the Local intranet Advanced dialog.
10. Click OK to close the Local intranet dialog and return to the Internet Options dialog.
11. In the Internet Options dialog click Trusted sites and click Sites:
Chrome displays the Trusted sites dialog.
Logging in to Fairsail Using Single Sign-On Setting Up Chrome for Single Sign-On
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 23
12. Enter https://testsso99-developer-edition.my.salesforce.com in the Add… field and click Add:
Chrome adds the site to the list of Websites in the dialog:
13. Click Close to close the Trusted sites dialog and return to the Internet Options dialog.
Logging in to Fairsail Using Single Sign-On Setting Up Chrome for Single Sign-On
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 24
14. In the Internet Options dialog with Trusted sites still selected, click Custom level…:
Chrome displays the Security Settings – Trusted Sites Zone dialog.
15. Scroll through the list of Settings and click the radio button Automatic logon with current user name and password:
16. Click OK to close the Security Settings – Trusted Sites Zone dialog.
17. Click OK to close the Internet Options dialog.
You can now log in to SSO using the link: https://testsso99-developer-edition.my.salesforce.com
Logging in to Fairsail Using Single Sign-On Setting Up Firefox for Single Sign-On
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 25
Setting Up Firefox for Single Sign-On 1. Open Firefox.
2. In the Address bar enter:
about:config
…and press Enter.
Firefox displays a warning message:
3. Click I’ll be careful, I promise!
Firefox displays the list of configuration preferences for your browser.
4. In the Search box enter:
network.negotiate
…to focus the list of preference names.
5. Double click on the preference name:
network.negotiate-auth.trusted-uris
Firefox opens an Enter string value dialog.
6. In the Enter string value dialog enter:
https://Win2k8Dev.FairsailDev.com
7. Click OK
Firefox adds the address as a value:
Logging in to Fairsail Using Single Sign-On Setting Up Firefox for Single Sign-On
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 26
8. Close the about:config browser window.
You can now log in to SSO using the link: https://testsso99-developer-edition.my.salesforce.com
The first time you log in to SSO after setting up your browser Firefox may display a warning message:
If this occurs:
1. Click I Understand the Risks.
2. Click Add Exception…
Firefox displays a confirmation dialog:
3. Check Permanently store this exception.
4. Click Confirm Security Exception.
Logging in to Fairsail Using Single Sign-On Setting Up Internet Explorer for Single Sign-On
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 27
Setting Up Internet Explorer for Single Sign-On 1. Open Internet Explorer.
2. Go to Tools and select Internet Options:
Internet Explorer displays the Internet Options dialog.
3. Click the Security tab and click Local intranet:
Logging in to Fairsail Using Single Sign-On Setting Up Internet Explorer for Single Sign-On
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 28
4. Click Sites:
Internet Explorer displays the Local intranet dialog:
5. Click Advanced.
Internet Explorer displays the Local intranet Advanced dialog.
6. Enter the server url in the Add… field using the form https://Win2k8Dev.FairsailDev.com and click Add:
Logging in to Fairsail Using Single Sign-On Setting Up Internet Explorer for Single Sign-On
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 29
Internet Explorer adds the sites to the list of Websites in the dialog:
7. Click Close to close the Local intranet Advanced dialog.
8. Click OK to close the Local intranet dialog and return to the Internet Options dialog.
9. In the Internet Options dialog click Trusted sites and click Sites:
Internet Explorer displays the Trusted sites dialog.
10. Enter https://testsso99-developer-edition.my.salesforce.com in the Add… field and click Add:
Internet Explorer adds the site to the list of Websites in the dialog:
Logging in to Fairsail Using Single Sign-On Setting Up Internet Explorer for Single Sign-On
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 30
11. Click Close to close the Trusted sites dialog and return to the Internet Options dialog.
12. In the Internet Options dialog with Trusted sites still selected, click Custom level…:
Internet Explorer displays the Security Settings – Trusted Sites Zone dialog.
13. Scroll through the list of Settings and click the radio button Automatic logon with current user name and password:
14. Click OK to close the Security Settings – Trusted Sites Zone dialog.
15. Click OK to close the Internet Options dialog.
You can now log in to SSO using the link: https://testsso99-developer-edition.my.salesforce.com
References and more information Setting Up Internet Explorer for Single Sign-On
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 31
References and more information This document draws on the following source material:
• The developerforce wiki article:
http://wiki.developerforce.com/page/single_sign-on_with_force.com_and_microsoft_active_directory_federation_services
• Rhys Goodwin’s Weblog:
http://blog.rhysgoodwin.com/cloud/salesforce-sso-with-adfs-2-0-everything-you-need-to-know/
For more information on:
• AD FS 2.0 diagnostics see the MSDN Claims-Based Identity Blog http://blogs.msdn.com/b/card/archive/2010/01/21/diagnostics-in-ad-fs-2-0.aspx
• AD FS 2.0 RTW (release to web) download:
http://www.microsoft.com/en-us/download/details.aspx?id=10909
• Kerberos SPNs see Active Directory and Kerberos SPNs Made Easy http://blog.rhysgoodwin.com/windows-admin/active-directory-and-kerberos-spns-made-easy/
• Microsoft Windows Server 2008 R2:
http://www.microsoft.com/en-gb/server-cloud/windows-server/2008-r2-overview.aspx
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 32
Troubleshooting This section provides solutions for issues that you may experience during the setup process described in this guide.
This icon is used throughout this guide to indicate points where additional information is available in this section. Each icon is hyperlinked; use it to jump to the relevant point in this section.
Click this icon at the end of each section to return to the main guide.
Troubleshooting Internet Information Services
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 33
Internet Information Services
IIS001 What happens
When trying to start a web site in the IIS MMC snap-in you get the error message:
The process cannot access the file because it is being used by another process
Why
• There may be a conflict with another process using port 80 or port 443, the ports IIS uses by default for TCP (port 80) and SSL (port 443).
• The ListenOnlyList registry subkey is not configured correctly on the computer running IIS.
What to do
This issue is covered in a Microsoft knowledge base article: http://support.microsoft.com/kb/890015
1. Use Netstat.exe to see if another process is using port 80 or port 443.
2. If there is no port conflict, examine the ListenOnlyList registry subkey and make any changes required as described here:
http://support.microsoft.com/kb/890015
Troubleshooting Active Directory Federation Services
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 34
Active Directory Federation Services
ADFS001 What happens
When the installer tries to register a service principal name (SPN) you get an error message.
Why
Integrated Windows Authentication between the browser and the AD FS IIS instance is unable to work correctly with the automatically created SPN.
What to do
Manually create a Kerberos SPN for the DNS name. Use Command Prompt to enter:
setspn -a HOST/adfs.fairsaildev.com testzone\AD FSSVR01 setspn -a HOST/adfs testzone\AD FSSVR01
ADFS002 What happens
During AD FS configuration you get this message:
Why
An adfs directory already exists, probably from a previous installation. The adfs directory hosts the AD FS configuration database, which must also be deleted.
What to do
Exit the AD FS configuration wizard and delete the directory. This action detects the underlying database and restarts the Federation Server Configuration Wizard, which now offers you the option of deleting the configuration database:
Troubleshooting Active Directory Federation Services
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 35
Check Delete database and click Next to resume the Configuration Wizard.
ADFS003 What happens
The event log displays errors relating to Certificate Revocation List (CRL) checks failing when the AD FS server cannot connect to the internet.
Why
The AD FS server must connect to the internet in order to download the full signing certificate chain from the certificate provider.
What to do
Turn off CRL checking for AD FS by opening Powershell as Administrator and running the script:
Add-PSSnapin Microsoft.Adfs.PowerShell Set-ADFSRelyingPartyTrust -TargetName "YourRelyingPartyDisplayName" -SigningCertificateRevocationCheck None
Troubleshooting Service Provider Initiated Login
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 36
Service Provider Initiated Login
SPIL001 What happens
The AD FS event log displays the message:
Event ID: 378 SAML request is not signed with expected signature algorithm. SAML request is signed with signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 . Expected signature algorithm is http://www.w3.org/2000/09/xmldsig (http://www.w3.org/2000/09/xmldsig)#rsa-sha1
Why
The secure hash algorithm is not set to SHA-1
What to do
Go to the SalesForce Sandbox Properties dialog and set the secure hash algorithm to SHA-1
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 37
Appendix: Browser handling of SAML requests SP-Initiated login has the most steps and demonstrates SAML and federation at its best. The HTTP protocol messages show you exactly what’s happening at each step. You can use a tool such as ieHTTPheaders or Fiddler2 to capture these messages for yourself, but note that Fiddler2 interferes with Integrated Windows Authentication to IIS so you’ll need to turn off extended protection on the /adfs/ls/ virtual directory if you want to try this, otherwise your browser won’t authenticate with AD FS and you’ll see event 4625 with error 0xc000035b in the Windows security log on the AD FS server.
In the interests of clarity, some extraneous HTTP headers are omitted and long strings of base 64 encoded data and sensitive identifiers are replaced by ellipses.
Appendix: Browser handling of SAML requests Step 1
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 38
Step 1 The user clicks a deep link to a Force.com page; in our example, it's https://customer-developer-edition.my.salesforce.com/home/home.jsp. The browser requests the page and Force.com renders a page containing JavaScript to redirect the browser to the Force.com SAML request generator.
The SAML request generator creates a SAML request for the IdP by sending an HTML form with hidden fields back to the browser.
Appendix: Browser handling of SAML requests Step 1
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 39
It then uses JavaScript to automatically submit the form to the IdP SAML endpoint. Note the text in the <noscript> element instructing the user to click the 'Continue' button to proceed.
You can decode the SAMLRequest using a tool such as the SAML 2.0 Debugger: https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php
Appendix: Browser handling of SAML requests Step 2
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 40
Step 2 The browser submits the HTML form containing the SAML request to the AD FS SAML endpoint:
Since we are using Integrated Windows Authentication, AD FS redirects the browser to the /auth/integrated/ directory:
Finally, the user is authenticated using Integrated Windows Authentication, comprising several HTTP request/response exchanges, and AD FS serves up a SAML response.
Appendix: Browser handling of SAML requests Step 2
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 41
Again, the SAML message is returned to the browser in an HTML form which is then submitted to the Force.com SAML endpoint using JavaScript.
Appendix: Browser handling of SAML requests Step 2
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 42
Decoding the SAML response (note the UPN in the NameID element):
Appendix: Browser handling of SAML requests Step 3
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 43
Step 3 The browser submits the HTML form which contains the SAML response to the Force.com SAML endpoint which verifies the SAML assertion, logs the user in and redirects the browser to the original requested URL.
Appendix: Browser handling of SAML requests Step 3
Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0 © Fairsail 2014 44