Microsoft ADFS (Active Directory Federation Services) is an Identity/Service Provider, compatible with several protocols, including <abbrtitle="Security Assertion Markup Language">SAML</abbr> 2.0.
</p>
<divclass="noteimportant">This documentation does not explains how to setup ADFS, but give only tricks to make it works with <abbrtitle="LemonLDAP::NG">LL::NG</abbr>
</div>
</div>
<!-- EDIT2 SECTION "Presentation" [101-399] -->
<h2class="sectionedit3"id="adfs_as_identity_provider">ADFS as Identity Provider</h2>
<divclass="level2">
<p>
When ADFS is declared as an Identity Provider in LemonLDAP::NG, you need to take care of the following items:
</p>
<ul>
<liclass="level1"><divclass="li"> HTTPS is mandatory on <abbrtitle="LemonLDAP::NG">LL::NG</abbr> portal</div>
</li>
<liclass="level1"><divclass="li"> You need to use a certificate in <abbrtitle="LemonLDAP::NG">LL::NG</abbr><abbrtitle="Security Assertion Markup Language">SAML</abbr> metadata instead of a raw public key</div>
</li>
<liclass="level1"><divclass="li"> Activate option <code>Use specific query_string method</code> in <abbrtitle="Security Assertion Markup Language">SAML</abbr> Service</div>
</li>
<liclass="level1"><divclass="li"> Use SHA1 instead of SHA256 as signature algorithm on ADFS if using a Lasso version < 2.5.0</div>
</li>
<liclass="level1"><divclass="li"> Force <abbrtitle="Security Assertion Markup Language">SAML</abbr> response to be sent by POST and not Artifact (signature verification fails with Artifact)</div>
</li>
<liclass="level1"><divclass="li"> Enable <code>Allow proxy authentication</code> in IDP options on <abbrtitle="LemonLDAP::NG">LL::NG</abbr> side</div>
</li>
</ul>
</div>
<!-- EDIT3 SECTION "ADFS as Identity Provider" [400-] --></div>