1. Navigate to your SimpleSAMLphp installation folder on the IIS server and open the config folder.
2. Open authsources.php in your favourite text editor.
3. I’m not going to repeat much of what I wrote in the post preceding this one where I added a Service Provider for Azure AD. Here, we will create a service provider configuration that uses our ADFS server. There are some differences in the configuration between Azure AD and ADFS 2012R2. The name of your SP is your choice, mine is called transishun-sp.
```php
// An authentication source which can authenticate against both SAML 2.0
// and Shibboleth 1.3 IdPs. If you make any configuration changes, you will need
// to update the RPT at the IdP.
'transishun-sp'=>array(
'saml:SP',
// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
'entityID'=>null,
// The entity ID of the IdP this should SP should contact.
// Can be NULL/unset, in which case the user will be shown a list of available IdPs.
4. Here is how the code looks inside my authsources.php file.
5. You will notice that the SP code defines that we must sign.logout, redirect.sign and assertion.encryption. All of these declarations mean we need a certificate and key to sign and encrypt these communications. We’ll create the certificate and key in the next section.
6. The final declaration enforces the use of SHA-256 which is best practice.
Creating a certificate and key file for signing and encryption
I mentioned in the requirements that you would need a Linux machine. Again, if you need one, just spin one up on Azure, I did.
1. Log on to your Linux machine. Use Putty to log on via SSH.
2. Create a directory called cert and change in to it.
3. If you recall from the SP definition code at the end of previous section, I provided an example command for generating a two year certificate and key:
I extrapolated this from the documentation on the SimpleSAMLphp website in section 1.1. If you’re using this in a production environment, generate a key and cert that will last. The SimpleSAMLphp documentation suggests 10 years.
4. Run the command to create the key and certificate. You will be asked a number of questions, answer these however you like, this cert and key is only used for signing and encrypting on the SP. My run through is shown below.
5. Now you need to download the my.key and my.pem files. There’s a number of ways but since they’re just text, I usually just cat them to screen and copy/paste from the Putty console in to a file on my local machine.
6. NB: Don’t get too excited, this is an example key, I don’t use this one myself.
Navigate to the SimpleSAMLphp installation folder and create a folder called cert.
7. Copy the my.key and my.pem files in to the cert folder. These are the two files that we declared when we created the Service Provider configuration in authsources.php. The cert folder is the default location for certs and keys in SimpleSAMLphp as mentioned in the documentation.
