Enable signed SAML requests between ETP and AD FS
To enable communication with signed SAML requests, configure both ETP and AD FS. This is an optional configuration.
- Configure ETP for signed SAML requests
- Configure AD FS for signed SAML request
Configure ETP for signed SAML requests
Complete this procedure to configure ETP for signed SAML requests.
- Return to your AD FS IdP in ETP.
- Under Authentication Configuration settings, select Sign SAML Request.
Copy the certificate text to a new file called cert.pem and convert to a DER encoded
certificate called cert.cer. Based on the machine, execute one of these commands based on
For a Windows machine, open a
command window and enter:
CertUtil -decode cert.pem cet.cer
For a Linux machine, open a terminal
Openssl x509 -outperform der -in cert.pem -out cert.cer
- For a Windows machine, open a command window and enter:
- Click Save.
Configure AD FS for signed SAML requests
Complete this procedure to configure AD FS for signed SAML requests.
- Return to the relying party trust. For example, IDP-RPT.
- In AD FS manager, edit properties of relying party trust.
- Under Signature tab, click Add.
- Add the cert.cer file.
- Click OK.
uses internal certificate authority (CA) certificates to sign SAML requests and
AD FS does not trust them, disable revocation checking of the SAML response for
ETP in the AD FS server. Follow these steps:
- Open a PowerShell window.
Get-AdfsRelyingPartyTrust -Identifier https://<idp-fqdn>/saml/sp/response | Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck NoneThis disables AD FS from doing revocation checking for SAML responses from ETP.