Configure AD FS for signed SAML requests

Complete this procedure to configure AD FS for signed SAML requests.

How to

  1. Return to the relying party trust. For example, IDP-RPT.
  2. In AD FS manager, edit properties of relying party trust.
  3. Under Signature tab, click Add.
  4. Add the cert.cer file.
  5. Click OK.
  6. Since ETP uses internal certificate authority (CA) certificates to sign SAML requests and AD FS does not trust them, disable revocation checking of the SAML response for ETP in the AD FS server. Follow these steps:
    1. Open a PowerShell window.
    2. Type the following:
      Get-AdfsRelyingPartyTrust -Identifier https://<idp-fqdn>/saml/sp/response | Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck None
      This disables AD FS from doing revocation checking for SAML responses from ETP.