Update Rollup 3 for Active Directory Federation Services (AD FS) 2.0 released

by Henrik Walther [Published on 15 Feb. 2013 / Last Updated on 15 Feb. 2013]

For all you folks that have configured Identity Federation in your Exchange hybrid environments, I thought you wanted to know ADFS 2.0 Update 3 has been released.

List of issues that have been fixed in this update:

* Issue 1 AD FS 2.0 does not issue an ActAs token for a relying party who is using a Security Assertion Markup Language (SAML) 2.0 bootstrap token.

* Issue 2 When AD FS 2.0 is acting as a federation provider and receives an invalid SAML 2.0 signed request (for example, the signature is not valid or the requestor is unknown), AD FS 2.0 rejects the request only after it forwards the request to the downstream identity provider and receives a valid SAML response. The expected behavior is that AD FS 2.0 validates SAML requests and rejects any requests that have invalid signatures.

* Issue 3 AD FS 2.0 update rollup 2 introduced strict Uniform Resource Identifier (URI) checking. When AD FS 2.0 acts as a federation provider and trusts an identity provider whose identifier is not an URI, the response that is returned from the identity provider is rejected by AD FS 2.0. The validation fails because AD FS 2.0 tries to validate the value of the identity provider’s identifier. This behavior breaks previously functioning AD FS 2.0 deployments in which identity providers use non-URI identifiers. AD FS 2.0 update rollup 3 removes this URI checking.

* Issue 4 AD FS 2.0 does not allow multiple relying party trust to use the same signing certificate for SAML request.

* Issue 5 Performance of AD FS 2.0 needs improvement when HSM is used for storing private key of token signing/encryption certificate.

* Issue 6 AD FS 2.0 update rollup 1 introduces the Congestion Avoidance Algorithm.

You can download it here: http://support.microsoft.com/kb/2790338

For all you folks that have configured Identity Federation in your Exchange hybrid environments, I thought you wanted to know ADFS 2.0 Update 3 has been released.

List of issues that have been fixed in this update:

  • Issue 1  AD FS 2.0 does not issue an ActAs token for a relying party who is using a Security Assertion Markup Language (SAML) 2.0 bootstrap token.
  • Issue 2  When AD FS 2.0 is acting as a federation provider and receives an invalid SAML 2.0 signed request (for example, the signature is not valid or the requestor is unknown), AD FS 2.0 rejects the request only after it forwards the request to the downstream identity provider and receives a valid SAML response. The expected behavior is that AD FS 2.0 validates SAML requests and rejects any requests that have invalid signatures.
  • Issue 3  AD FS 2.0 update rollup 2 introduced strict Uniform Resource Identifier (URI) checking. When AD FS 2.0 acts as a federation provider and trusts an identity provider whose identifier is not an URI, the response that is returned from the identity provider is rejected by AD FS 2.0. The validation fails because AD FS 2.0 tries to validate the value of the identity provider’s identifier. This behavior breaks previously functioning AD FS 2.0 deployments in which identity providers use non-URI identifiers. AD FS 2.0 update rollup 3 removes this URI checking.
  • Issue 4  AD FS 2.0 does not allow multiple relying party trust to use the same signing certificate for SAML request.
  • Issue 5  Performance of AD FS 2.0 needs improvement when HSM is used for storing private key of token signing/encryption certificate.
  • Issue 6  AD FS 2.0 update rollup 1 introduces the Congestion Avoidance Algorithm. If you accidentally disable the Congestion Avoidance Algorithm by changing the configuration, a handle leak occurs on an AD FS 2.0 federation server proxy every time that the federation server proxy processes a request. AD FS 2.0 update rollup 3 removes the setting that enables you to disable Congestion Avoidance Algorithm by changing the configuration. You can fine tune the Congestion Avoidance Algorithm by adjusting the latencyThresholdInMsec and minCongestionWindowSize settings.

You can download it here.

Add Review or Comment

Featured Links