How to Configure SAML Assertion Consumer URL in AD FS 2.0 for Service Provider SSO Integration


4 views

When integrating a service provider with AD FS 2.0 for SAML-based single sign-on, the Assertion Consumer Service (ACS) URL is a critical endpoint. This is where the Identity Provider (IdP) sends the SAML assertions after successful authentication.

The standard ACS URL for AD FS 2.0 follows this pattern:

https://[your-adfs-server]/adfs/ls/

For example, if your AD FS server is at abc.com, the ACS URL would be:

https://abc.com/adfs/ls/

You can confirm this endpoint by checking your AD FS metadata document at:

https://[your-adfs-server]/FederationMetadata/2007-06/FederationMetadata.xml

Search for the AssertionConsumerService element in the XML document.

Avoid these frequent errors:

  • Using the wrong path (like /_trust/ which was used in older versions)
  • Forgetting to include the trailing slash
  • Not using HTTPS (required for security)

Here's how you might configure this in a SAML service provider implementation using C#:

var options = new Saml2AuthenticationOptions("ADFS")
{
    SPOptions = new SPOptions
    {
        EntityId = new EntityId("urn:your:service:provider"),
        ReturnUrl = new Uri("https://your-app.com/saml-acs")
    },
    IdentityProviders = new IdentityProviderCollection
    {
        new IdentityProvider(
            new EntityId("urn:federation:your-adfs"),
            options.SPOptions)
        {
            MetadataLocation = "https://abc.com/FederationMetadata/2007-06/FederationMetadata.xml",
            AllowUnsolicitedAuthnResponse = true
        }
    }
};

When configuring a Service Provider (SP) for SSO authentication with AD FS 2.0, one of the most critical elements is the Assertion Consumer Service (ACS) URL. This endpoint is where the Identity Provider (IdP) will send the SAML assertions after successful authentication.

The default SAML 2.0 assertion consumer endpoint in AD FS 2.0 follows this pattern:

https://[your-adfs-server-fqdn]/adfs/ls/

For example:

https://sts.contoso.com/adfs/ls/

You can confirm your AD FS 2.0 endpoints through these methods:

  1. Check the AD FS 2.0 management console under "Service → Endpoints"
  2. Access the federation metadata XML document at:
    3. https://[your-adfs-server-fqdn]/FederationMetadata/2007-06/FederationMetadata.xml

When setting up relying party trust in AD FS 2.0, you'll typically need to specify these values:

Identifier: urn:your:service:provider
Reply URL (ACS): https://your-sp.com/saml/acs
  • Ensure the ACS URL matches exactly what's configured in AD FS
  • Verify SSL certificates are properly installed and trusted
  • Check AD FS event logs for authentication errors

Here's how you might configure a simple SAML SP in C#:

var samlOptions = new Saml2AuthenticationOptions("ADFS")
{
    SPOptions = new SPOptions
    {
        EntityId = new EntityId("urn:your:service:provider"),
        ReturnUrl = new Uri("https://your-sp.com/saml/acs")
    },
    IdentityProviders = new IdentityProviderCollection
    {
        new IdentityProvider(
            new EntityId("http://sts.contoso.com/adfs/services/trust"),
            samlOptions.SPOptions)
        {
            MetadataLocation = "https://sts.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml"
        }
    }
};