Use of Microsoft AD FS in the UK federation

The UK federation has, to the best of our knowledge, no Microsoft AD FS (Active Directory Federation Services) IdPs running in full production - although there appear to be some in other federations which operate in a different manner.

The UK federation is unable to provide deployment or configuration support to anyone who attempts to use Microsoft AD FS as a SAML IdP, so only those who understand the issues detailed below, and how to work around them, should ever attempt to use it as such. However, if you are willing to deploy and maintain the AD FS software, we are able to register SAML metadata for the IdP and we can provide interoperability support.

Here's a list of the issues that we've so far uncovered in Microsoft AD FS v4 (Windows Server 2016):

1) Updating of UK federation metadata is done using a third party powershell script - we cannot vouch for the reliability or security of this. (Note: Information on a complex workaround using Metadata Query (MDQ) can be found here).

2) It doesn’t check the signature that we put on the metadata, so there is a risk that the metadata can be intercepted and altered (known as a Man In The Middle attack).

3) It requires that the metadata comes from a location that is HTTPS-protected, and we do not use that in the UK federation (our trust model relies on the metadata being digitally signed).

4) It doesn’t support more than 1 certificate per entity, so any time a Service Provider (SP) does certificate rollover, access to that SP will break for the period of the rollover. It is very unlikely you will get any advance warning of the breakage either, as certificate rollover is usually a transparent process that happens in the background.

5) It doesn’t support the same certificate on multiple entities, which some entities on UK federation have (if for example they have closely connected development, staging and production servers, or if they're managed by a third party with a common system/configuration). You will not be able to interoperate with these entities.

6) It doesn't support some of the newer features within federation metadata such as entity attributes, which can streamline attribute release policies.

7) It adds the entities into the main 'AD FS snap-in/management panel', which means it will be possible for deployers to hand edit the metadata after consuming an aggregate.

InCommon have also investigated Microsoft AD FS and found similar issues.

Earlier versions of Microsoft AD FS are presumably even less capable and more problematic.