Certificate bundle

When requesting a certificate from a CA they will typically send a bundle of intermediate certificates. Frequently, this bundle includes the root certificate. Web server certificate bundles don’t need to include the root certificate, so it is necessary to remove the root certificate from the bundle.

You can check the certificates in the bundle, to make editing easier, using a single line command, that works on Windows and Linux:

openssl crl2pkcs7 -nocrl -certfile cert-bundle.cer | openssl pkcs7 -print_certs -text -noout

ADFS

Cookie persistence

Set-AdfsWebConfig -HRDCookieEnabled:$false

Diagnostic Claims

When analysing federation trust issues, it is sometimes useful to be able to pass all claims from the Identity Provider to the Service Provider. In general this is unsafe.

One option is to flag the original claims in a way that means they are not accepted by the Service Provider. In ADFS this can be done with the following claim rule:

@RuleName = "Diagnostics"
c:[]
=> issue(Type = "XX-" + c.Type + "-XX", Value = c.Value);

This rule nests the original claim type between “XX-” and “-XX”

Federation Metadata

Federation metadata url:

https://server/federationmetadata/2007-06/federationmetadata.xml

Home Realm Discovery

Prevent caching of home realm:

Set-AdfsWebConfig -HRDCookieEnabled:$false

Claim rule language

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-the-claim-rule-language

https://social.technet.microsoft.com/wiki/contents/articles/4792.understanding-claim-rule-language-in-ad-fs-2-0-higher.aspx