Events
Apr 29, 2 PM - Apr 30, 7 PM
Join the ultimate Windows Server virtual event April 29-30 for deep-dive technical sessions and live Q&A with Microsoft engineers.
Sign up nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
AD FS in Windows Server 2016 contains additional SAML protocol support, including support for importing trusts based on metadata that contains multiple entities. This enables you to configure AD FS to participate in confederations such as InCommon Federation and other implementations conforming to the eGov 2.0 standard.
The new capability is based on groups of relying party or claims provider trusts. Each group is an EntitiesDescriptor (<md:EntitiesDescriptor>) element as specified in the eGov 2.0 profile, containing one or many EntityDescriptor elements. The groups have common authorization rules, and all other properties can be modified like individual trust objects.
Once the trust groups are imported into AD FS, AD FS automatically updates the trusts as a group based on the metadata document.
Enabling these scenarios is as simple as using the new PowerShell commandlets that Add and Remove AdfsClaimsProviderTrustsGroup and AdfsRelyingPartyTrustsGroup objects. This can be done using a metadata URL or a file, as shown in the examples below.
Additionally, AD FS 2016 has support for the scoping parameter as described in the SAML Core specification, section 3.4.1.2. This element allows relying parties to specify one or more identity providers for an authentication request.
Add-AdfsClaimsProviderTrustsGroup -MetadataUrl "https://www.contosoconsortium.com/metadata/metadata.xml"
Add-AdfsClaimsProviderTrustsGroup -MetadataFile "C:\metadata.xml"
The eGov 2.0 profile can be found here.
The SAML Core specification can be found here.
Events
Apr 29, 2 PM - Apr 30, 7 PM
Join the ultimate Windows Server virtual event April 29-30 for deep-dive technical sessions and live Q&A with Microsoft engineers.
Sign up nowTraining
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.