3

I have a related party application that can accept SAML 1.0 and 2.0 over WS-Federation. I configured my claims and trust relationship manually and everything works as expected.

I inspected the token being passed and realized it is SAML 1.1 token. (saml:Assertion element has MajorVersion and MinorVersion set to 1).

I re-ran "Add Relying Party Trust Wizard" and made sure I that selected "AS FS Profile" under "Choose Profile" - as it specifically mentions SAML 2.0 Protocol (which as I understand is not the same think as SAML 2.0 token being passed withing WS-Federation protocol, but seemed hopeful). I also combed through all remaining settings and I cannot see a setting to select token type.

How do you choose between SAML 1.0 and SAML 2.0 token when you configure Trust Relationship in ADFS?

I am actually not 100% sure which version of ADFS I am using, but "ADFS Management" shows version 6.2.0.0

Sebastian K
  • 175
  • 1
  • 7

1 Answers1

3

"MMC; Help; About AD FS Management" shows the version indeed. It show the OS version. And Starting with S2012 ADFS is one-to-one linked with the OS version. You are probably on S2012 because 6.2 is S2012.

ADFS never wanted to send SAML2 Tokens to its WS-* Relying parties. ADFS always did stick to the SAML1 Tokens. SAML2 protocol mandates SAML2 Tokens. WS-* does not mandate them, and for backward compatibility and for other interop agreements they left it at SAML1 tokens?

Any specific reason why you would want a SAML2 Token? A regular WIF app will not notice the difference.

paullem
  • 321
  • 1
  • 3
  • 1
    Thanks a lot - I did not know that. I am indeed on Windows Server 2012. I wanted to use SAML 2.0 tokens was for testing - I ran into issues before where Cloud Minder was sending elements in SAML 2.0 token in different order than WIF (which is used by related party app) was expecting. – Sebastian K Apr 06 '15 at 13:16
  • 1
    If you want to test then you could use Thinktecture.IdentityServer. It can send SAML2 Tokens. – paullem Apr 07 '15 at 13:19
  • 1
    Thanks, I was playing with ThinkTecture before too - it is great, however it has no UI to configure custom claims, I may try to see If there is a way to configure those somehow. – Sebastian K Apr 07 '15 at 13:57