Over the past week or so I’ve been working to federate EWU with InCommon®. Most schools use Shibboleth®, but we already have Active Directory Federation Service (ADFS) in use here, so I’ve undertaken the challenge to use ADFS.
InCommon has a test service provider that I should be able to sign into if everything is configured properly. However when I connect I get a response that the “X509SerialNumber must have TextContent.” After digging through the saml responses to several other service providers, I found that many of the self-signed certs used by some of the SPs have a serial number of zero (0). When ADFS signs/encrypts the saml response, it does not return the serialNumber of the cert used, but instead returns an empty serialNumber xml element. (<serialNumber />). Shibboleth does not like that at all.
Now it is time to dig through the xml signing/encryption specs to determine who is right and who is wrong. Then go through the process of notifying the losing “vendor”. My gut says that I’ll probably be standing up a Shibboleth server by the time everything is said and done.