# WS-Fed Example

## Steps

### Attribute definition

First of all, will be mandatory to create two new attributes

- User principal name
- AD SID

[![image-1695799061910.png](https://bookstack.soffid.com/uploads/images/gallery/2023-09/scaled-1680-/image-1695799061910.png)](https://bookstack.soffid.com/uploads/images/gallery/2023-09/image-1695799061910.png)

Bear in mind, that those attributes have to be retrieved from the appropriate system:

[![image-1695803778715.png](https://bookstack.soffid.com/uploads/images/gallery/2023-09/scaled-1680-/image-1695803778715.png)](https://bookstack.soffid.com/uploads/images/gallery/2023-09/image-1695803778715.png)

And those attributes have to be defined in the object metadata:

[![image-1695804665489.png](https://bookstack.soffid.com/uploads/images/gallery/2023-09/scaled-1680-/image-1695804665489.png)](https://bookstack.soffid.com/uploads/images/gallery/2023-09/image-1695804665489.png)

### Attribute sharing policies

Define the proper attribute policy

[![image-1695801239762.png](https://bookstack.soffid.com/uploads/images/gallery/2023-09/scaled-1680-/image-1695801239762.png)](https://bookstack.soffid.com/uploads/images/gallery/2023-09/image-1695801239762.png)

### Service Provider

[![image-1695801347498.png](https://bookstack.soffid.com/uploads/images/gallery/2023-09/scaled-1680-/image-1695801347498.png)](https://bookstack.soffid.com/uploads/images/gallery/2023-09/image-1695801347498.png)

### Configure Exchange

Finally, you must configure the Exchange.

1.- Upload the SAML certificate to the certificate repository

2.- Search for the thumbprint of the certificate:

```
Set-Location Cert:\LocalMachine\Root; Get-ChildItem | Short-Object Subject
```

[![image-1695814095103.png](https://bookstack.soffid.com/uploads/images/gallery/2023-09/scaled-1680-/image-1695814095103.png)](https://bookstack.soffid.com/uploads/images/gallery/2023-09/image-1695814095103.png)

3.- From the Exchange Management Shell, run:

```
Set-OrganizationConfig -AdfsIssuer https://gbr.idp.demo.soffid.net/profile/wsfed `
   -AdfsAudienceUris "https://gbr.owa.demo.soffid.net/owa/","https://gbr.owa.demo.soffid.net/ecp/"  `
   -AdfsSignCertificateThumbprint "XXXXXXXXXXXXXXXX"
```

```
Set-OWAVirtualDirectory -Identity "OWA (Default Web Site)" -AdfsAuthentication $true   `
  -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false `
  -WindowsAuthentication $false
```

```
Set-ECPVirtualDirectory -Identity "ECP (Default Web Site)" -AdfsAuthentication $true   `
  -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false `
  -WindowsAuthentication $false
```

```
net stop was /y
```

```
net start  w3svc
```

<p class="callout warning">The server must be up to date. Otherwise WS-Fed will reject the response</p>