Add Assertion Consumer Service endpoint to AD FS

  1. In order to retrieve the metadata for the SAML Session Provider, the AD FS server must trust the SSL certificate used by the SAML Router. The root certificate used to sign this SSL certificate must be present in the Trusted Root Certificates store on the AD FS server.

    If an external CA has been used to sign the grid SSL certificate, it may already be present in the Trusted Root Certificates store. See Configuring host SSL certificate.

  2. Find the federation metadata URL for the SAML Session Provider:
    1. From the Grid Management Pages, open the management pages of the SAMLSessionProvider application.
    2. Click Metadata.
    3. Copy the federation metadata URL displayed on the page for use in step 7.
  3. Log on to the AD FS server, and start the AD FS Management console.
  4. Expand "Trust Relationships" in the left side menu and select "Relying Party Trusts."
  5. Select the application that corresponds to your SAML Session Provider installation, on the format urn:<SAML router FQDN>_<SAML router https port>.
  6. Right-click and select Properties.
  7. On the Monitoring tab, enter the federation metadata URL for your SAML Session Provider (see step 2c for the value).
  8. Click Test URL to make sure that the address is reachable and trusted by AD FS. If you get an error message, see the Microsoft Windows Server documentation on troubleshooting trust management problems with AD FS.
  9. When you get a message saying that the URL was validated successfully, click OK and then OK again.
  10. Select again the application that corresponds to your SAML Session Provider installation.
  11. Right-click and select "Update from Federation Metadata."
  12. On the Endpoints tab, verify the SAML Assertion Consumer Endpoints, and then select Update.