Microsoft does not recommend deploying new instances of AD FS. Instead they encourage you to consider Entra ID. Information on using Entra ID with SAFIRE.
Note: While it is possible to use ADFS with SAFIRE, it has known interoperatability problems with the sort of multi-party federation used in the R&E world. SAFIRE’s architecture shields you from some of these effects, but you do sacrifice some flexibility and control.
In order to configure Active Directory Federation Services (ADFS) as an identity provider for SAFIRE, you need to do four things:
…
On the evening of Tuesday 11 January, we will deploy a number of changes to the SAFIRE Federation hub to allow for the bi-directional signalling of REFEDS MFA. No downtime is expected, and we do not anticipate any impact on any service- or identity-provider that does not currently support such signalling.
…
This page is intended to give you some ideas about how to generate eduPersonAffiliation and eduPersonScopedAffiliationi attribute that are useful to SAFIRE by reusing existing information you may already have in your internal directory services.
What’s shown below are SimpleSAMLphp config snippets, but the ideas translate to pretty much all identity provider software. If you’re not using SimpleSAMLphp, hopefully the comments help you understand what is going on. All the authproc filters shown here are documented in SimpleSAMLphp’s docs.
…
As a result of the baseline changes that occured in march 2021, it is no longer possible to directly integrate Google Workspace (G Suite) with SAFIRE without making schema changes. In particular, you would need to add support for the displayName and eduPersonScopedAffiliation attributes. As no current providers use Google Workspace, his document has not been updated to incorporate information on how to do that, nor has it been tested. It remains theoretically possible to integrate Google Workspace.
…
When asking for support, you may be asked to share a SAML trace to assist the support team in understanding your problem. This document gives step-by-step instructions on how to create one.
…
The Shibboleth Service Provider has good documentation, and so this is not a complete/worked example of how to configure it. Instead, this provides the SAFIRE-specific snippets you may need when working through that documentation.
Installing Shibboleth Service Provider Note that some package repositories ship out-of-date and vulnerable versions of the Shibboleth SP. However, the Swiss federation operator (SWITCHaai) maintains up-to-date packages for Debian and Ubuntu.
…
This page is intended to give you some ideas about how to generate an eduPersonPrincipal attribute that is useful to SAFIRE by reusing existing unique user identifiers from your internal directory services.
What’s shown below are SimpleSAMLphp config snippets, but the ideas translate to pretty much all identity provider software. If you’re not using SimpleSAMLphp, hopefully the comments help you understand what is going on. All the authproc filters shown here are documented in SimpleSAMLphp’s docs.
…
This document intends to be a quick primer on SAML for those who want to get on with the rest of their todo list.
SAML seems big and scary, because it has a lot of decisions and moving parts. But the reality is that many of these decisions have already been made for you, and you don’t need to know about the moving parts to make it work for you. Thus this primer attempts to distill out the most important bits in a way that’s easy to skim.
…