Summary

When signing in with Active Directory Federation Services (AD FS) in Directory Server 10.3, you may receive the following error message:

The Federation Service encountered an error while processing the SAML authentication request.

The relying party trust with identifier 'https://sampleFQDN/lfds' could not be located.

Cause

The introduction of support for SAML 2.0 identity providers in Directory Server 10.3 necessitated changes to the initial Active Directory Federation Services support introduced with Directory Server 10.2. Organizations who have previously configured AD FS successfully with Directory Server 10.2 must make the following configuration changes upon upgrading to Directory Server 10.3

Resolution

1. In the AD FS Management Console, update the relying party trust identifier to include /lfds:

   https://machine.domain.com/lfds

2. Configure these additional claim type mappings:

   LDAP Attribute	Outgoing Claim Type
   SAM-Account-Name	Name ID
   objectSid	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sid

3. The AD FS token signing certificate must be able to pass chain trust validation on the STS instance. For example, if the certificate is a self-signed certificate, you must add the certificate in the trusted root store on the STS machine.
4. The Directory Server administration site includes a new STS Sites page on the Settings tab. Add the SAML endpoint for AD FS (e.g., https://YourSTSmachine.com/LFDSSTS/SAML2/SSO). Note that this value is case-sensitive.
5. If you have multiple licensing sites attached to your Directory Server instance, you must specify a default licensing site for AD FS. Manually edit the LFDS.exe.config file in the Directory Server installation folder to add a default licensing site. In the <appSettings> block, insert the following line:

   <add key="DefaultRealm" value="SampleLicensingSiteName" />

   After saving your change, restart the Directory Server service.