Managing Connectis Identity Broker metadata in ADFS

This document describes how to manage the Connectis Identity Broker metadata in ADFS. The examples used in this document are from AD FS Management version 10.0.0.0. This document will assume the ADFS server is already setup and operational.

Connect ADFS as service-provider

Use a metadata url (preferred)

  1. Request the URL of the ADFS-compatible metadata of the Connectis Identity Broker from technicalsupport@connectis.nl. You can verify that the metadata on this URL is ADFS-compatible, by checking that signature element contains an x509Certificate element. If this element is not present please contact our technical support.

  2. Open ADFS management

  3. Click on “Claims Provider Trusts”

  4. Click on “Add Claims Provider Trusts”

  5. Start the wizard

  6. Select the first option: “Import data about the claims provider published online or on a local network”

  7. Supply the metadata URL of the Connectis Identity Broker.

  8. Give a meaningful display name.

  9. Finish the wizard.

For more information: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-claims-provider-trust

Use a metadata file

  1. Alternatively, request a copy of the ADFS-compatible metadata of the Connectis Identity Broker from techncalsupport@connectis.nl. You can verify that the metadata file is ADFS-compatible, by checking that signature element contains an x509Certificate element. If this element is not present please contact our technical support.

  2. Open ADFS management

  3. Click on “Claims Provider Trusts”

  4. Click on “Add Claims Provider Trusts”

  5. Start the wizard

  6. Select the first option: “Import data about the claims provider from a file”

  7. Select the downloaded Connectis Identity Broker metadata

  8. Give a meaningful display name.

  9. Finish the wizard.

Add new signing certificate

Trust is created via metadata URL

ADFS will periodically check the configured metadata URL to see if there are any changes and load in the new metadata. It is possible to do this manually:

  1. Go to created trust

  2. Right-click on the trust

  3. Select “Update from Federation Metadata”

  4. The new metadata is loaded.

Trust is created from file

It is possible to add manually a new signing certificate:

  1. Save the new certificate as a pem file.

Copy the public part of the new signing certificate from the Connectis Identity Broker metadata page in the IDPSSODescriptor X509Certificate element :

In a new file place it between:

-----BEGIN CERTIFICATE-----
<insert public part here>
-----END CERTIFICATE----

And save it with extension *.pem

  1. Go to created trust

  2. Right-click on the trust

  3. Select “Properties”

  4. Goto tab certificates

  5. Click “Add”

  6. Change on the right the file options to “All Files”, so pem files are visible.

  7. Select the pem and click open.

  8. Click “Apply” and the new certificate is added.