...
- Use pysFEMMA to refresh and verify metadata (since AD FS 2.0 will not consume SAML metadata whose root element is an
<md:EntitiesDescriptor>
element) - Ensure that all SP partners support and use SAML V2.0 (since AD FS 2.0 does not support SAML V1.1)
- Ensure that all SP partners follow InCommon recommendations regarding certificates in metadata. Specifically:
- certificates should be self-signed (since AD FS 2.0 will actually try to check any CRLs or OCSP endpoints contained in the certificate)
- certificates should not be expired (since AD FS 2.0 will not consume an
<md:EntityDescriptor>
element that contains an expired certificate) - certificates should not be shared (since some versions of AD FS 2.0 will not consume two
<md:EntityDescriptor>
elements that contain the same certificate) - redundant certificates should be avoided (since AD FS 2.0 will not consume an
<md:EntityDescriptor>
element containing more than one encryption key)
- Ensure that no SP partners include a
<samlp:Scoping>
element in theAuthnRequest
(since AD FS 2.0 will reject such a request)
...