Yesterday Microsoft released Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0.
The update includes hotfixes and updates that fix seven (7) product issues and add four (4) new capabilities to the product. Summarised, the changes are:
- Issue 1 (kb2254265): The “500” error code is returned when you send an HTTP SOAP request to the “/adfs/services/trust/mex” endpoint on a computer that is running Windows Server 2008 R2 or Windows Server 2008
- Issue 2 (kb2272757): An identity-provider-initiated sign-on process is slow in Windows Server 2008 R2 and in Windows Server 2008
- Issue 3: The “400” error code is returned when sending an authentication request to AD FS 2.0 federation server proxy through Windows integrated authentication endpoint (Nego 2)
- Issue 4: Decrease in performance occurs on AD FS 2.0 federation server when a user who is authenticating has a large number of group memberships.
- Issue 5: Failure to join an AD FS 2.0 federation server to an existing SQL-based federation server farm when the AD FS 2.0 administrator that tries the join operation does not have administrator rights to the SQL Server database.
- Issue 6: AD FS 2.0 Federation Service cannot create or verify SAML tokens when the private keys of an AD FS 2.0 token-signing certificate and/or token decryption certificate are stored by using third-party cryptographic service providers (CSP), for example hardware security mode (HSM).
- New capability 1: Multiple Issuer Support
- New capability 2: Client Access Policy Support
- New capability 3: Congestion Control Algorithm
- New capability 4: Additional AD FS 2.0 performance counters
Those of you working on Office 365 projects might find this new capability of particular interest:
Multiple Issuer Support. Previously, Microsoft Office 365 customers who require single sign-on (SSO) by using AD FS 2.0 and use multiple top level domains for users’ user principal name (UPN) suffixes within their organization (for example, @contoso.us or @contoso.de) are required to deploy a separate instance of AD FS 2.0 Federation Service for each suffix. After you install this Update Rollup on all the AD FS 2.0 federation servers in the farm and follow the instructions of using this feature with Office 365, new claim rules will be set to dynamically generate token issuer IDs based on the UPN suffixes of the Office 365 users. As a result, you do not have to set up multiple instances of AD FS 2.0 federation server to support SSO for multiple top level domains in Office 365.
For more information about the instructions, visit the following Microsoft website: General information about how to set up a trust by adding or converting a domain for SSO