Excellent Video! All your videos made my ADFS learning faster, I can say you have a thorough knowledge of core concepts that makes your explanation complete and easy to understand. Thank You!
Very well explained in simple words, just one request ,. Please. Have detail session on configuring relying party trust manually.. as some time application vendor do not provide metadata..
After adding relying party trust of claimsxray, still not able to login, got errro in event viewer “ Requested authentication method is not supported on the STS… Windows server-2012R2
I have a question. when you use the claimx X-ray, to point to your adfs service name, it means your adfs name is resolvable in the public internet. so this tool cannot be used in the internal network? how do you make the name resolvable in public? i don`t see you deploy the wap server so far. could you explain a little more about that? thank you so much.
Excellent Video Series! I'm trying to setup ADFS to achieve RDP login via Email address (Non-Microsoft email). But could not find any specific steps to follow. Please help.
@@ConceptsWork The reason why I wanted to check Single sign on behaviour using claims X ray tool is given below. We have one of the third party application integrated with ADFS, Single sign on is not working for that application, Application team is claiming there are issues with the ADFS server. If I could prove the SSO is working with the claim X- Ray tool added in ADFS, then I can isolate the reported SSO issue for that third party application was not because of the ADFS server but it is with the third party Application settings.
What you need to do add all the urls, required for application to work as well as your ADFS url in trusted site zone, then make sure automatic sign in in enabled in IE settings, if you are using edge this should work out of the box. At times it can also be a possiblity if the application is request a forced login. For example - those application which uses SAML can ingest one paramenter in saml request like passowrd. Check this for reference - docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.samlauthenticationstatement.authenticationmethod?view=netframework-4.8#remarks
@@ConceptsWork Many thanks for your suggestions, i will definitely take a look at it. There are few other questions i would like to clarify with you. If we want to have SSO in any application using ADFS for authentication, Is that application should only need to use windows integrated Authentication when sending authentication request to ADFS server ? If yes, Can that application use windows integrated Authentication with either WS-Fed or SAML protocols to send the authentication request ?
Great explanations and well taught . I have a question. When we use ADFS x-ray tool and select SAML as "Token request" then it doesn't give any error on the page event if there is no relying party trust and we are able to signing into page.
Hello Kashif, please verify again, if there is a relying party trust added or not. This cannot be possible, because the identifier of relying party is matched for every authentication request. Also, reach us @ learnconceptswork@gmail.com
@@ConceptsWork I have verified there is no relaying party trust. Actually when I select WS-FED it gives the error on the first page like you show on your video. But if I select SAML it doesn't give error on the first page after redirection. It show option to enter credentials and we do see a sign in page same as idpinitiatedsignonpage.aspx.
Thanks for great videos and two questions, because something is not fully clear to me: 1. Where is it specified, which exactly attributes are forwarded as claims initially, by this default "Issue all claims" rule? There are 17 attributes (claims) returned by the ADFS - where's this defined, that exactly these attributes and some other ones, are provided? 2. After creating this "Department" claim definition - shouldn't the "department" attribute be returned by default by this "Issue all claims" rule? Why did you have to create a dedicated issuance rule for that? Thanks again!
There are multiple rules that are created by default for claim provider trust. To check all the mapping, please refer the claim rules created on claim provider trust. I will be covering this claim processing in a seperate video which will be posted very soon. Thanks!
The new claim("Department") is added in the federation metadata of ADFS server. The purpose of adding department attribute is to make sure, ADFS can issue a claim named as "department" Steps to reproduce the use case :- Step1)- Take a dump of the federation metadata of ADFS server without adding, any custom claim description. Step2)- Add a custom claim description in ADFS. Step3)- Again take the federation metadata dump of ADFS. Now match the two federation metadata file's and you will find the difference in the second one. For Application, this will be a claim that will be included in the token which will sent by ADFS. Watch the same video from 16:57, I have compared both the tokens. Thanks..!!
@@ConceptsWork thanks for ur reply . the only confusion i have is do that application request that additional claim from through its metadata or is there any other process.
"Sending custom claim" is the process that has to be done on the ADFS, not on application. ADFS issues claim as per the "claim rules / per relying party trust" When the application request a token, it doesn't specify a list of claims in the authentication request. It all depends upon the claim rules that are configured for the specific relying party trust.
Hi I have some confusion, when you need to have a federation, you need to share the metadata for the ADFS with app and App's metadata with adfs for RPT (you used the script to do that); how did the website came to know the xml file for the adfs for its metadata, which wasn't shared? Am I missing somehitng.?
This is a tool designed by microsoft, the script that I ran was to create a relying party trust. Since this is the troubleshooting tool, it has the intellegence built in to add "adfs/ls/", in the request which is sent to your adfs server.
Excellent video series, All your videos made my ADFS understanding made sooooo easy. Can you please clear my doubt. I created Department claim in claim description and added to ClaimXray as a new rule. But after successfull login. I'm uable to see that claim in calim section. I Didn't get what wet wrong. Can you please suggest, what maybe missed. ThankYou
Nice Job, keep it up, I have a question to ask, I am getting error "404 - File or directory not found". when choosing "SAML-P (SAML 2.0)",under Token request , But it get thru with "WS-FED (SAML 1.1)", this is on w2008R2, do you know what is missing in my environment ADFS 2.0 which is causing this issue. I appreciate all your great piece of work demonstrated here .
Hello Great video, Very good information. I do have a one question. You have shown us how to add Claim Description(Department) if that is not there so that you can map that with LDAP attribute in claim rule if application vendor insist for this claim. In my environment, I have added claim rule (Send LDAP attributes as Claim) & mapped SAMAccountName with uid and then checked whether I was getting this claim using claim xray & I am able to see uid claim with samaccountname value. But I don't understand how it takes uid as claim as uid is not defined in claim description. Can you please help me to understand how it took the uid as claim (as uid is not listed in claim description in my ADFS server)?
This is not expected behavior, I hope below mentioned is the rule which has been created on ADFS, when you defined mapping, without claim description "c:[Type == "schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("uid"), query = ";sAMAccountName;{0}", param = c.Value); " And as per the behavior, you must get error like - ----------------------------- The Federation Service encountered an error while processing the WS-Trust request. Request type: schemas.microsoft.com/idfx/requesttype/issue Additional Data Exception details: System.ArgumentException: ID4216: The ClaimType 'uid' must be of format 'namespace'/'name'. Parameter name: claimType at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result) at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result) at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet, List`1 additionalClaims) ---------------------------------- This requires lot more details to be checked, which version of ADFS you are using and also, please reach us at learnconceptswork@gmail.com
Hi sir, I really appreciate your videos series, they are much helpful. I have a question: when you query the ADFS server, from the xRay app, is your ADFS registred in DNS? just to make sure
Hello Hicham, In my lab I have two NIC card's, one for Internet and the other one is for internal network. My adfs is not available publically, but below mentioned are details of how it works ? 1)- User navigates to claims xray, public tool through external NIC. 2)- Claims xray redirects the user agent to adfs page, and the client is able to reach because, I have added a host file entry on the client machine. 3)- To reach adfs, internal is used.
Thank you for the great series again! I have 2 questions: 1. Why did we type "schemas.microsoft.com/claims/department" while we were adding new claim description? What are the other options? 2. How did the adfshelp site get our Token signing certificate? We didn't export/import anything? Did it get it from the metadata? If so, is this metadata exchange is automatic for all Service Providers?
most valuable Microsoft contents on TH-cam
Just want to say thank you for your awesome work on this subject. Thank you
My pleasure!
One of the best explanation about ADFS, a lots of things i learnt after watching this.
Your effort is highly appreciated 'cause you 're explaining each and everything in detail to an extent. Good job!
These are the best of ADFS videos. Thanks.
Glad you think so!
Great concepts and best ADFS learning path in the complete playlist.
Much appreciated!
Best Series on ADFS ever! Thank you my brother! Amazing content, keep it up.
Glad you enjoy it!
Excellent Video! All your videos made my ADFS learning faster, I can say you have a thorough knowledge of core concepts that makes your explanation complete and easy to understand. Thank You!
Great to hear!
Thank you very much Sir. ❤❤
I always try to share this channel recommend to others.
You are providing very useful information.
Thanks for your kind and generous acknowledgements, much appreciated.
By the way, your dp is ressemblence of hardwork.
Happy learning.
Just Superb!!!
Many thanks!
Very well explained in simple words, just one request ,. Please. Have detail session on configuring relying party trust manually.. as some time application vendor do not provide metadata..
Thank you so much for the video. Your efforts and explanation are highly appreciated. Simply awesome 👍 desperately waiting for saml video of adfs
Great video and lesson. It helps me a lot
Glad it helped!
Thank you very much, very detailed explanation, made so many things clear for me :)
Do we required port 443 open on my public IP & need a public wild card certificate?
Awesome video, thanks
Glad you liked it!
After adding relying party trust of claimsxray, still not able to login, got errro in event viewer “ Requested authentication method is not supported on the STS…
Windows server-2012R2
Is there any way to find relying 3rd party trust application clams using Xray tool ? I need to know what clams are coming from 3rd party application ?
I didn't get you?
I have a question. when you use the claimx X-ray, to point to your adfs service name, it means your adfs name is resolvable in the public internet. so this tool cannot be used in the internal network? how do you make the name resolvable in public? i don`t see you deploy the wap server so far. could you explain a little more about that? thank you so much.
Hello Zhao,
Please send us an email on learnconceptswork@gmail.com, and we will share the entire blue print of our lab.
Regards,
ConceptsWork
The new claim: Department will not show on the Token Claims page if its not populated in the User Profile.
Excellent Video Series! I'm trying to setup ADFS to achieve RDP login via Email address (Non-Microsoft email). But could not find any specific steps to follow. Please help.
Excellent Video!!!! Can you please share Videos related to PKI as well....
Hi Sir, Can we configure this tool with ADFS to test the single sign on as well ? If yes, May i know how to do it.
Can you share some more details, list down the exact use case please.
@@ConceptsWork The reason why I wanted to check Single sign on behaviour using claims X ray tool is given below.
We have one of the third party application integrated with ADFS, Single sign on is not working for that application, Application team is claiming there are issues with the ADFS server. If I could prove the SSO is working with the claim X- Ray tool added in ADFS, then I can isolate the reported SSO issue for that third party application was not because of the ADFS server but it is with the third party Application settings.
What you need to do add all the urls, required for application to work as well as your ADFS url in trusted site zone, then make sure automatic sign in in enabled in IE settings, if you are using edge this should work out of the box.
At times it can also be a possiblity if the application is request a forced login.
For example - those application which uses SAML can ingest one paramenter in saml request like passowrd.
Check this for reference - docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.samlauthenticationstatement.authenticationmethod?view=netframework-4.8#remarks
@@ConceptsWork Many thanks for your suggestions, i will definitely take a look at it.
There are few other questions i would like to clarify with you.
If we want to have SSO in any application using ADFS for authentication, Is that application should only need to use windows integrated Authentication when sending authentication request to ADFS server ? If yes, Can that application use windows integrated Authentication with either WS-Fed or SAML protocols to send the authentication request ?
Great explanations and well taught . I have a question.
When we use ADFS x-ray tool and select SAML as "Token request" then it doesn't give any error on the page event if there is no relying party trust and we are able to signing into page.
Hello Kashif, please verify again, if there is a relying party trust added or not.
This cannot be possible, because the identifier of relying party is matched for every authentication request.
Also, reach us @ learnconceptswork@gmail.com
@@ConceptsWork I have verified there is no relaying party trust. Actually when I select WS-FED it gives the error on the first page like you show on your video. But if I select SAML it doesn't give error on the first page after redirection. It show option to enter credentials and we do see a sign in page same as idpinitiatedsignonpage.aspx.
Thanks for great videos and two questions, because something is not fully clear to me:
1. Where is it specified, which exactly attributes are forwarded as claims initially, by this default "Issue all claims" rule? There are 17 attributes (claims) returned by the ADFS - where's this defined, that exactly these attributes and some other ones, are provided?
2. After creating this "Department" claim definition - shouldn't the "department" attribute be returned by default by this "Issue all claims" rule? Why did you have to create a dedicated issuance rule for that?
Thanks again!
There are multiple rules that are created by default for claim provider trust. To check all the mapping, please refer the claim rules created on claim provider trust. I will be covering this claim processing in a seperate video which will be posted very soon.
Thanks!
Thanks a lot, I really appreciate your fantastic job.
i have a question sir , that new claim 'department' is being added in federation metadata which is added to application or application metadata ?
The new claim("Department") is added in the federation metadata of ADFS server.
The purpose of adding department attribute is to make sure, ADFS can issue a claim named as "department"
Steps to reproduce the use case :-
Step1)- Take a dump of the federation metadata of ADFS server without adding, any custom claim description.
Step2)- Add a custom claim description in ADFS.
Step3)- Again take the federation metadata dump of ADFS.
Now match the two federation metadata file's and you will find the difference in the second one.
For Application, this will be a claim that will be included in the token which will sent by ADFS.
Watch the same video from 16:57, I have compared both the tokens.
Thanks..!!
@@ConceptsWork thanks for ur reply . the only confusion i have is do that application request that additional claim from through its metadata or is there any other process.
"Sending custom claim" is the process that has to be done on the ADFS, not on application.
ADFS issues claim as per the "claim rules / per relying party trust"
When the application request a token, it doesn't specify a list of claims in the authentication request.
It all depends upon the claim rules that are configured for the specific relying party trust.
@@ConceptsWork thanks , now its clear .
Hi I have some confusion, when you need to have a federation, you need to share the metadata for the ADFS with app and App's metadata with adfs for RPT (you used the script to do that); how did the website came to know the xml file for the adfs for its metadata, which wasn't shared?
Am I missing somehitng.?
This is a tool designed by microsoft, the script that I ran was to create a relying party trust.
Since this is the troubleshooting tool, it has the intellegence built in to add "adfs/ls/", in the request which is sent to your adfs server.
Excellent video series, All your videos made my ADFS understanding made sooooo easy. Can you please clear my doubt. I created Department claim in claim description and added to ClaimXray as a new rule. But after successfull login. I'm uable to see that claim in calim section. I Didn't get what wet wrong. Can you please suggest, what maybe missed. ThankYou
Really really good stuff!
Thanks Chris
really good video!
Thanks for your kind words.
Nice Job, keep it up, I have a question to ask, I am getting error "404 - File or directory not found". when choosing "SAML-P (SAML 2.0)",under Token request , But it get thru with "WS-FED (SAML 1.1)", this is on w2008R2, do you know what is missing in my environment ADFS 2.0 which is causing this issue. I appreciate all your great piece of work demonstrated here .
If possible, please share some screen shots at learnconceptswork@gmail.com
Hello
Great video, Very good information.
I do have a one question.
You have shown us how to add Claim Description(Department) if that is not there so that you can map that with LDAP attribute in claim rule if application vendor insist for this claim.
In my environment, I have added claim rule (Send LDAP attributes as Claim) & mapped SAMAccountName with uid
and then checked whether I was getting this claim using claim xray & I am able to see uid claim with samaccountname value.
But I don't understand how it takes uid as claim as uid is not defined in claim description. Can you please help me to understand how it took the uid as claim (as uid is not listed in claim description in my ADFS server)?
This is not expected behavior, I hope below mentioned is the rule which has been created on ADFS, when you defined mapping, without claim description
"c:[Type == "schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("uid"), query = ";sAMAccountName;{0}", param = c.Value); "
And as per the behavior, you must get error like -
-----------------------------
The Federation Service encountered an error while processing the WS-Trust request.
Request type: schemas.microsoft.com/idfx/requesttype/issue
Additional Data
Exception details:
System.ArgumentException: ID4216: The ClaimType 'uid' must be of format 'namespace'/'name'.
Parameter name: claimType
at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet, List`1 additionalClaims)
----------------------------------
This requires lot more details to be checked, which version of ADFS you are using and also, please reach us at learnconceptswork@gmail.com
Hi sir, I really appreciate your videos series, they are much helpful. I have a question: when you query the ADFS server, from the xRay app, is your ADFS registred in DNS? just to make sure
Hello Hicham, In my lab I have two NIC card's, one for Internet and the other one is for internal network.
My adfs is not available publically, but below mentioned are details of how it works ?
1)- User navigates to claims xray, public tool through external NIC.
2)- Claims xray redirects the user agent to adfs page, and the client is able to reach because, I have added a host file entry on the client machine.
3)- To reach adfs, internal is used.
@@ConceptsWork Ok! Many Many Thanks! Please, keep going...!
Thank you for the great series again! I have 2 questions:
1. Why did we type "schemas.microsoft.com/claims/department" while we were adding new claim description? What are the other options?
2. How did the adfshelp site get our Token signing certificate? We didn't export/import anything? Did it get it from the metadata? If so, is this metadata exchange is automatic for all Service Providers?
great
could please provide me ip setting all the server