Microsoft has announced improved interoperability with SAML 2.0 including support for federation metadata aggregates. https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/operations/improved-interoperability-with-saml-2.0
In particular the article mentions the InCommon federation. However, it doesn't work, ADFS won't consume the InCommon aggregate. I got the InCommon metadata aggregate endpoint URL from https://spaces.internet2.edu/display/InCFederation/Metadata+Aggregates. I tried using the production aggregate http://md.incommon.org/InCommon/InCommon-metadata.xml. It doesn't work in the GUI because it require an HTTPS protocol prefix. It doesn't work in PowerShell either. Add-AdfsClaimsProviderTrustsGroup throws numerous errors about invalid enumerations.

For whatever reason InCommon doesn't serve the aggregate from an HTTPS URL. While one could debate whether that is a good practice or not, it is beside the point. The metadata aggregate is signed and is being successfully consumed by thousands of InCommon IdPs and SPs.

I know the work-around: just like prior versions of ADFS, one must extract the desired metadata manually and save it to a file.

I'm testing this on a fully patched Server 2016 machine. Either I'm doing something wrong or Microsoft didn't actually test the InCommon metadata aggregate.

Thanks,

Eric


Forum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx