All communications between the service provider and the IdP (AD FS in this case) must be secure. The certificate infrastructure must be in place on AD FS. Progress Kemp assumes that this is in place in the case of production environments. If setting up AD FS for the first time, please ensure the correct certificate infrastructure is in place.

Note: When configuring SAML with other third-party IdPs such as RSA, you must select the option to Sign SAML Response and not sign the SAML Assertion.

In the Certificates folder, there are certificates for service communication, token decrypting and token signing. The token signing certificate is important. When referring to tokens in AD FS, they generally map to assertions in the context of SAML. The token signing certificate is used for signing any response data from the AD FS. The LoadMaster requires this certificate to verify the signature on the service provider side (that is, on the LoadMaster side).

Export the token signing certificate from AD FS by following the steps below:

  1. Go to Services > Certificates in AD FS.
  2. Select the Token-signing certificate.

  3. Click View Certificate.

  4. Click Copy to File.
  5. Follow the steps in the certificate export wizard.
  6. Provide a filename for the certificate.

    Import the .pem certificate into the LoadMaster by following the steps below in the LoadMaster Web User Interface (WUI):

    You must convert the certificate to a .pem format before importing it to the LoadMaster. There are many certificate converters available online. Alternatively, you can use an openssl command to perform the conversion.

  7. In the main menu, go to Certificates & Security > Intermediate Certs.
  8. Click Choose File.
  9. Browse to and select the certificate file.
  10. Enter a Certificate Name and click Add Certificate.

This token signing certificate is now available to select in the IdP Certificate drop-down list in the SAML SSO domain in the LoadMaster.