This section outlines the steps necessary to enable ADFS as IDP.
Avi Load Balancer as SP and ADFS as IdP
The sequence of events from the user access request is illustrated here:
Prerequisites
Set up the ADFS server and the service account for it.
Ensure the SSL certificate has been installed and that the server is accessible over HTTPS, with an FQDN name the same as the CN in the certificate.
Test your ADFS server by following this URI format, https://<adfs_fqdn>/adfs/fs/federationserverservice.asmx It will render the output as shown in the image below.
Configuring ADFS As IdP
Open the ADFS management console.
Under Trust Relationships, right click Relying party trusts and select Add Relying Party Trust.
The Add Relying Party Trust Wizard opens.
Add Relying Party Trust
Click Start in the Welcome screen.
Select the Enter data about the relying party manually option in the Select Data Source screen and click Next.
On the next screen, provide Display Name and click Next.
Select the AD FS profile option in the Choose Profile screen and click Next.
Click Next on Configure Certificate screen.
On the Configure URL screen, select Enable support for the SAML 2.0 WebSSO protocol and enter the SP URL as shown below. This must match the SSO URL on SP.
Enter the Relying party trust identifier in the Configure Identifiers screen. It must be same as the entity ID on your SP.
Choose the first option as shown below and click Next.
Select the Permit all users to access this relying party option in the Choose Issuance Authorization Rules screen and click Next.
Click Next on Ready to Add Trust screen.
Click Close.
The Edit Claim Rules wizard appears.
Edit Claim Rules
In the Edit Claim Rules Wizard, click Add Rule.
Make a selection from the Claim rule template drop-down menu in the Select Rule Template screen and click Next.
On the Configure Rule screen, add the name, choose the Attribute store and add the mapping of required attributes as shown in the screenshot below.
Click OK. Click Apply and click OK again.
Properties
Right click the App name and select Properties from the drop-down menu.
Select the Endpoints tab and add the SSO URL as shown in the screenshot below. This must match the SSO URL on SP.
Check the Identifier to make sure it is correct and match the Entity ID. Now your IDP is ready.
Metadata can be downloaded from this link:https://<adfs_fqdn>/FederationMetadata/2007-06/FederationMetadata.xml.
Once configuration is complete on ADFS, configure an Avi Load Balancer virtual service to act as service provider by following the instructions given in the SAML Configuration on Avi Load Balancer in this guide.