Announcement Announcement Module
No announcement yet.
SAML and ADFS? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • SAML and ADFS?

    I'm currently involved in a project to implement Single Sign On with ADFS. We've run into some problems and unfortunately it seems like there's extremely little documentation on this particular topic.

    Our application uses spring-security and so we configured the saml extension, set up filters, built a keystore, etc. We have it at the stage where it successfully redirects the client to ADFS. Unfortunately, clientlogon.aspx returns an error saying that the action is none where it should be collectinitialcredentials or collectadditionalcredentials.

    Does anyone know of any solutions to this issue, example applications that integrate with ADFS using the saml extension or tutorials/other forms of documentation?


  • #2
    I am involved in a similar project. How did you get that far? The SAML extension links to a page with no content on the site...


    • #3
      Most of it was walking through the source of the spring saml library. There's no good documentation on how to set this up. In fact, we ended up giving up on saml and just implemented ntlm + ldap. I spent several 20+ hour days on this.

      I'm kind of disappointed that it's taken 2 months to get any sort of reply on this issue too, especially with the ubiquity of spring in the java world. I had assumed that this kind of deployment and integration with active directory domains was fairly common, but I was obviously wrong.


      • #4
        I've gotten quick feedback on other questions. I don't know if this is a harder question or what.

        I really would like to see a sample set of applications like sparklr/tonr but for SSO instead of just granting permissions. I would think/hope that ADFS would be an easy extension to such, since the provider should be transparent...

        Is anyone listening who can help me on this topic?


        • #5
          Apache CXF Fediz works with ADFS. Right now, I'm working in integrating Fediz (Container Level SSO based on WS-Federation&SAML) into Spring security. I got something working right now where Authentication is done by the container and the application is configured according to the preauth spring example. Later on, I'd like to add support for spring security itself.
          Which servlet container do you use?


          • #6

            The Spring Security SAML Extension manual now contains a chapter about ADFS integration with a step-by-step guide. You can find it bellow or in chapter 6.1 at

            It should enable you to get the integration running in a matter of minutes. Please let me know if you run into any troubles.

            • Install AD FS 2.0 (
            • Run AD FS 2.0 Federation Server Configuration Wizard in the AD FS 2.0 Management Console
            • Make sure that DNS name of your Windows Server is available at your SP and vice-versa
            • Install a Java container (e.g. Tomcat) for deployment of the SAML 2 Extension
            • Configure your container to use HTTPS, this is required by AD FS

            Initialize IDP metadata:
            • Download AD FS 2.0 metadata from https://server/FederationMetadata/20...onMetadata.xml
            • Store the downloaded content to saml2-sample/WEB-INF/src/main/resources/security/FederationMetadata.xml
            • Modify bean metadata in securityContext.xml and replace classpath:security/idp.xml with classpath:security/FederationMetadata.xml and add property metadataTrustCheck to false to skip signature validation:
              <bean class="">
                      <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                              <value type="">classpath:security/FederationMetadata.xml</value>
                          <property name="parserPool" ref="parserPool"/>
                      <bean class=""/>
                  <property name="metadataTrustCheck" value="false"/>

            Initialize SP metadata:
            • Deploy SAML 2 Extension war archive from saml2-sample/target/spring-security-saml2-sample.war
            • Open browser at e.g. https://serverort/spring-security-saml2-sample, make sure to use HTTPS protocol, system will automatically generate metadata document
            • Click Metadata information, select item with your server name in the Service providers list
            • Store content of the Metadata field to a document metadata.xml and upload it to the AD FS server
            • In AD FS 2.0 Management Console select "Add Relying Party Trust"
            • Select "Import data about the relying party from a file" and select file created earlier, select Next
            • System may complain that some content of metadata is not supported, you can safely ignore this warning
            • Continue with the wizard, on the "Ready to Add Trust" make sure that tab endpoints contains multiple endpoing values, if not verify that your metadata was generated with https protocol in their URLs
            • Leave "Open the Edit Claim Rules dialog" checkbox checked and finish the wizard
            • Select "Add Rule", choose "Send LDAP Attributes as Claims" and press Next
            • Add NameID as "Claim rule name", choose "Active Directory" as Attribute store, choose "SAM-Account-Name" as LDAP Attribute and "Name ID" as "Outgoing claim type", finish the wizard and confirm the claim rules window
            • Open the provider by double-clicking it, select tab Advanced and change "Secure hash algorithm" to SHA-1

            Test SSO

            Open SAML Extension at https://localhost:8443/spring-security-saml2-sample, select your AD FS server and press login. In case Artifact binding is used and SSL/TLS certificate of your AD FS is not already trusted you have to import it to your samlKeystore.jks by following instructions in the error report.

            Hope this helps,
            Vladimír Schäfer