Deployment Task

Locating ADFS Metadata

When configuring SAML authentication for Aqua using ADFS as your identity provider, collect the IdP Issuer name, the SP-Initiated SSO URL, and the public certificate.  ADFS conveniently publishes this information all in one place, allowing you to provide this information to your Aqua tenant with ease.  


Deployment Steps

ADFS Metadata Location

The metadata can be located by pointing your browser to a specific URL.  This URL will take the form of the following, substituting the fully qualified name of your ADFS host:


https://<ADFS_hostname>/federationmetadata/2007-06/federationmetadata.xml


After pointing your browser to this resource, the XML file should automatically download.  This is your Identity Provider metadata.


Locating the Issuer, SSO URL, and Certificate

Open the downloaded XML file in an editor for reading.  Locate the individual components.

Tip:  It may be easier to run the XML contents through an XML formatter for easier readability.


Issuer

The IdP Issuer is located on the first line of the metadata, labeled as "entityId".


SSO URL

The IdP SSO URL typically takes the form of the following. However, you should always go with what you find in the metadata, because the host may consider its fully qualified name to be different.

https://<ADFS_hostname>/adfs/ls


It will be located within the IDPSSODescriptor clause, within the SingleSignOnService  clause:


Certificate

The public certificate can be found near the end of the document, in a section called IDPSSODescriptor.  Nested within this clause is the KeyDescriptor for use="signing" .

Copy the certificate data between the XML tags and enter it into the certificate field on Aqua's SAML Integration page.