ADFS 3.0 relying party trust for cloud partner named SumTotal RRS feed

  • Question

  • Hello MS team,

    I have a customer who runs a ADFS 3.0 organization with multiple internal ADFS 3.0 servers in the internal network, DB is hosted in a SQL DB clusters, and multiple WAP servers across 2 sites.

    The company also created a relying party trust to allow SSO with a third party cloud partner named ServiceNow. By that time, the token signing certificate from my customer was exported and then sent to ServiceNow, when they proceeded to import the cert.

    Same customer needs to create a second relying party trust with another cloud partner named SumTotal. SumTotal sent their metadata file and one cert, and when we tried to create a new RP using their metadata file, we were unable to complete the setup and got an error. After further troubleshooting, we decided to manually create the RP with the help of their staff, however we cannot open their site. The metadata files have already been exchanged and SSO has been configured on both ends. However, while accessing the Stage site, the attached error page is displayed on ADFS page[page is being redirected to other SSO application[ServiceNow] with other RP

    Here are my questions:

    Since my client is the identity provider, do they have to share their token signing certificate and metadata file with the service provider in order to allow SSO and successfully access their application? if so, please elaborate

    Is the service provider [SumTotal] required to provide their metadata file and token signing? if so, should I import their certificate onto computer personals store in the WAP and internal ADFS servers?

    What are general steps that should be performed on both sites [Identity provider, and service provider] to allow SSO for a cloud application using ADFS 3.0?


    Tuesday, March 1, 2016 2:01 AM

All replies

  • You need to send them your Token-Signing certificate (the public key). It is actually embedded into your FederationMetadata.xml file. So just give them the address of your metadata file or download the XML file and send them to them. The URL is: https://<FQDN of your ADFS farm>/FederationMetadata/2007-06/FederationMetadata.xml

    Now you also need the equivalent of that file from them. If they do not have that file, they will have to give you all the information to create the trust manually on your side (URI, endpoints, certificate for encryption - if they use encryption, certificate for signing - if they use this feature as well).

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, March 2, 2016 3:43 PM