This guide contains a list of solutions to problems we have encountered in practice when integrating this module. This is not an exhaustive list, but it may provide assistance in case of some common issues.
Note: For LDAP troubleshooting, please see the LDAP documentation.
- "Invalid issuer" error in SilverStripe
- Updating ADFS from 1.0 to 2.0
- ADFS 3.0 and Chrome authentication
- Intranet level security settings
In your SAML configuration file for SilverStripe, entityId must match exactly to the correct URL (including the protocol).
The correct URL can be extracted from ADFS by checking the "Federation Service Properties".
To be able to use the SAML Single Sign On functionality you need to have ADFS 2.0 or greater. In some cases ADFS 1.0 is installed, but you can upgrade for free with an update from Microsoft.
Installing Active Directory Federation Services (ADFS) 2.0 information is available.
ADFS 3.0, such as the kind found on Windows Server 2012 requires some extra configuration for Chrome to authenticate.
Run these commands on the ADFS server using Powershell:
Set-ADFSProperties –ExtendedProtectionTokenCheck None
Set-ADFSProperties -WIASupportedUserAgents @("MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client", "Mozilla/5.0")
You will then need to restart the Active Directory service in Windows.
Internet Explorer running on your Windows machine must have the ADFS URL, e.g. https://adfs.mydomain.com set with "intranet" security settings, otherwise the browser will not attempt Windows authentication with the ADFS server, as the default is "internet" security settings.
More detailed information can be found on this subject.