Just remember, you used up all your red pixels on my last article. So David has nothing to fear.
Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com<http://www.carlwebster.com/> From: Michael Smith <mich...@smithcons.com<mailto:mich...@smithcons.com>> Reply-To: NT Issues <ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>> Date: Tue, 17 Jan 2012 20:55:24 +0000 To: NT Issues <ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>> Subject: RE: ADFS + SAML 2.0 w/ Concur = success! Hehehehehe. I didn’t tell him about that part. He has sent the raw document to me. I haven’t had time to review it yet. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Webster [mailto:webs...@carlwebster.com] Sent: Tuesday, January 17, 2012 3:46 PM To: NT System Admin Issues Subject: RE: ADFS + SAML 2.0 w/ Concur = success! How your first blog post coming? A lot of my articles cover 5 to 30 minute processes and it can take a couple of weeks to several months to go thru the entire writing process [1]. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com<http://www.carlwebster.com/> 1. i.e. cleaning up all of MBS’ red ink from shredding my articles to pieces From: David Lum [mailto:david....@nwea.org]<mailto:[mailto:david....@nwea.org]> Sent: Tuesday, January 17, 2012 1:16 AM To: NT System Admin Issues Subject: RE: ADFS + SAML 2.0 w/ Concur = success! 2 hours of screenshots and obfuscation and I am only just now 90% done, I’ll finish mañana. Takes less time to do it 9the 2nd time) than document it! When I got it working Friday I then thought about why it took me a damn week to get it. Documenting it I see the multiple places that easily tripped me up so looking back now I can see how it took 40-ish hours to get it right. Dave From: Michael B. Smith [mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]> Sent: Monday, January 16, 2012 4:35 PM To: NT System Admin Issues Subject: RE: ADFS + SAML 2.0 w/ Concur = success! I want to know this myself. :) Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Micheal Espinola Jr [mailto:michealespin...@gmail.com]<mailto:[mailto:michealespin...@gmail.com]> Sent: Monday, January 16, 2012 4:15 PM To: NT System Admin Issues Subject: Re: ADFS + SAML 2.0 w/ Concur = success! He's been made an offer that he can't [see: shouldn't] refuse! -- Espi On Mon, Jan 16, 2012 at 1:08 PM, Kurt Buff <kurt.b...@gmail.com<mailto:kurt.b...@gmail.com>> wrote: Now there's an offer you don't see every day. On Mon, Jan 16, 2012 at 12:47, Michael B. Smith <mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote: > Happy to feature you as s guest author. > > Sent from my HTC Tilt™ 2, a Windows® phone from AT&T > > -----Original Message----- > From: David Lum <david....@nwea.org<mailto:david....@nwea.org>> > Sent: Monday, January 16, 2012 2:38 PM > To: NT System Admin Issues > <ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>> > Subject: RE: ADFS + SAML 2.0 w/ Concur = success! > > > If I had a blog, I would. My internal document is far more detailed :-) > > Dave > > -----Original Message----- > From: Webster [mailto:webs...@carlwebster.com<mailto:webs...@carlwebster.com>] > Sent: Monday, January 16, 2012 11:10 AM > To: NT System Admin Issues > Subject: RE: ADFS + SAML 2.0 w/ Concur = success! > > Now write that up with screen shots and you have a blog article that can be > useful to many others. > > > Carl Webster > Consultant and Citrix Technology Professional http://www.CarlWebster.com > >> -----Original Message----- >> From: David Lum [mailto:david....@nwea.org<mailto:david....@nwea.org>] >> Sent: Monday, January 16, 2012 11:56 AM >> To: NT System Admin Issues >> Subject: ADFS + SAML 2.0 w/ Concur = success! >> >> As you guys know, after much gnashing on this list I was finally able >> to get SAML working with ADFS. What took too-many hours of banging on >> it can know be done soup-to-nuts (including building a server OS from >> scratch - just to make sure I have the steps right) in two hours. >> >> There were a couple of tripping points if you are new to this kind of thing: >> 1. Download ADFS 2.0, the ADFS role in 2008 R2 looks different and is >> likely >> 1.1 and not 2.0 (Google-Fu gives me conflicting info) 2. During >> configuration, ADFS 2.0 by default assigns self-signed "token-signing" >> and "token- decrypting" certificates, so even if you assign an >> appropriate 3rd party certificate for Service Communications in ADFS, >> the other two certificates need to be manually reconfigured. This >> requires you to turn off "automatic certificate rollover" by using a >> PowerShell script (the PS commands are provided in the error message, >> you'd think they could offer a little add-in "would you like this >> change to be made?" you just click OK to). Once you run this script >> you can then add the certificates, and then you need to assign them as >> "primary". [1][2] 3. In ADFS there is also a step where you assign the >> Federation Service Name, and in our case I used a wildcard cert but >> the service name needs to be an explicit host. Whatever name is >> assigned here (say SingleSignOn.nwea.org<http://SingleSignOn.nwea.org>) an >> appropriate DNS entry (in >> my case a >> CName) needs to be assigned so the DNS resolves appropriately. >> 4. In this particular case, I had to make sure I did NOT assign an >> encryption certificate for the relying party 5. The secure hash >> algorithm needs to match the vendor (SHA-1 or SHA-256). >> >> Other than that, it is almost straightforward, LOL. I built a 2nd >> machine this morning from scratch - including OS install - to >> operating SSO server in about >> 2 hours (had to confirm/refine my "build from scratch" documentation). >> >> David Lum >> Systems Engineer // NWEATM >> Office 503.548.5229<tel:503.548.5229> // Cell (voice/text) >> 503.267.9764<tel:503.267.9764> >> >> [1] There may be a way to do this during setup in ADFS, but I didn't >> see it as I was stepping though. >> [2] It was this step that gave us "invalid certificate was sent to relying >> party" >> errors. >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: http://lyris.sunbelt- >> software.com/read/my_forums/<http://software.com/read/my_forums/> or send an >> email to >> listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> >> with the body: unsubscribe ntsysadmin >> > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin