Enable signed SAML requests between ETP and AD FS

To enable communication with signed SAML requests, configure both ETP and AD FS. This is an optional configuration.
  1. Configure ETP for signed SAML requests
  2. Configure AD FS for signed SAML request

Configure ETP for signed SAML requests

Complete this procedure to configure ETP for signed SAML requests.

How to

  1. Return to your AD FS IdP in ETP.
  2. Under Authentication Configuration settings, select Sign SAML Request.
  3. Copy the certificate text to a new file called cert.pem and convert to a DER encoded certificate called cert.cer. Based on the machine, execute one of these commands based on your OS:
    1. For a Windows machine, open a command window and enter: CertUtil -decode cert.pem cet.cer
    2. For a Linux machine, open a terminal and enter: Openssl x509 -outperform der -in cert.pem -out cert.cer
  4. Click Save.

Next steps

  1. Deploy the IdP configuration:
    • If you are trying the new Enterprise Center interface, in the identity provider configuration, you can click the icon next to the Ready for Deployment status. A deployment icon also appears next to a failed deployment status in case you need to deploy the identity provider again. This action starts the deployment process.
    • Deploy identity provider configuration changes in the list of Pending Changes. For more information, see Deploy configuration changes.
  2. Configure AD FS for signed SAML requests

Configure AD FS for signed SAML requests

Complete this procedure to configure AD FS for signed SAML requests.

How to

  1. Return to the relying party trust. For example, IDP-RPT.
  2. In AD FS manager, edit properties of relying party trust.
  3. Under Signature tab, click Add.
  4. Add the cert.cer file.
  5. Click OK.
  6. Since ETP uses internal certificate authority (CA) certificates to sign SAML requests and AD FS does not trust them, disable revocation checking of the SAML response for ETP in the AD FS server. Follow these steps:
    1. Open a PowerShell window.
    2. Type the following:
      Get-AdfsRelyingPartyTrust -Identifier https://<idp-fqdn>/saml/sp/response | Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck None
      This disables AD FS from doing revocation checking for SAML responses from ETP.