How to create federation metadata XML for “Relying Party Trust” and “Claims Provider Trusts” for ADFS 2.0

Question

One of our web app would like to connect with ADFS 2.0 server to get credential token and check the user roles based on that. The ADFS server admin asked us to

Answer 1

I had to do this recently, having never used .Net or ADFS before, and having only the server (STS) metadata URL that I was trying to integrate with. I had a basic Windows 10 PC and was trying to set up a Node.js webapp as an RP. This is what I did:

1. On the Win 10 PC, went to Control Panel -> Programs and Features -> Turn Windows features on or off -> Enable Windows Identity Foundation 3.5

2. Installed Windows Identity Foundation SDK 4.0 (as referred to by the original author).

3. Created a basic Web.config file which contained:

4. In the SDK installation directory, I found FedUtil.exe and FedUtilSampleUserInput.xml. The sample file explained all the parameters that FedUtil.exe was going to ask for, which was very helpful.

5. Launched FedUtil.exe as Administrator (right-click in File Explorer), providing the Web.config file I just created, the webapp URL, the server (STS) metadata URL as the "existing STS", and selecting to create a new default certificate.

6. Lo and behold, a FederationMetadata.xml file was generated and my Web.config file was updated automatically.

7. I then un-commented some of the claim types in the updated Web.config file and re-ran FedUtil.exe, which then updated my FederationMetadata.xml with the additional claim types that I needed from the STS (e.g., email, given name, surname)

8. Provided the FederationMetadata.xml to the STS admin, which worked!

Only downside is that this all required a Windows machine ... I'm not sure what I would have done on Mac or Linux!