Étapes pour votre SuisseID

IdP Integration Guide - Technote


The SuisseID IDP provides strong authentication and user attribute services. Claims-aware web applications in a Microsoft Active Directory Domain can benefit through Active Directory Federation Services (AD FS) and Windows Identity Foundation from these functionalities.

This article describes how to add the SuisseID IDP as a claims provider to an AD FS environment.


The prerequisites comprise the following:

  1. A functional AD FS environment. Instructions in this article are based on AD FS 2.0 on Windows Server 2008 R2 SP1.
  2. Registered Service Provider. Every SAML Service Provider (or relying party) needs to be registered at the SuisseID IDP as an allowed partner. Use the Service Provider registration page.
  3. SuisseIDs. For authentication at the SuisseID IDP, the user muss posses a valid SuisseID. For the SuisseID IDP integration platform (typically used by developers), download a test SuisseID and install in the client Browser.

See the Resources section for links to the service provider registration and test certificates.

ADFS: Configuring SuisseID IDP as Claims Provider - Manually

Intially we examine the step-by-step configuration of the ADFS claims provider before we look at the slightly quicker process via the IDP Metadata. We assume the hostname of the machine running ADFS to be

  1. Launch the "AD FS 2.0 Management" Windows application
  2. Under AD FS 2.0 -> Trust Relationships -> Claims Provider Trusts, add a new claims provider trust
  3. Then “Enter claims provider trust data manually”
  4. Enter the display name, e.g. “SuisseID IDP (Production)”
  5. Pick the “AD FS 2.0 profile” as the SuisseID IDP is a SAML2 compliant identity provider.
  6. Set the IDP's SAML SSO Endpoint.
    IDP Integration
    IDP Production

  7. Set the claim provider trust identifier.
    IDP Integration
    IDP Production

  8. Add the SuisseID IDP assertion signer certificate. The certificate can be downloaded from the IDP documentation resources area (see Resources section below).
  9. Complete the configuration.
  10. Initial configured finished.
  11. First update to the configuration: Click the newly created claims provider and go to the “Endpoints” tab and set the binding for the SSO endpoint to POST.
  12. Second update to the configuration: Click the newly created claims provider and go to the “Advanced” tab and set the “Secure hash algorithm” to SHA-1

ADFS: Configuring SuisseID IDP as Claims Provider - via Metadata

It is also possible to configure the AD FS claims provider over the published IDP Metadata:

IDP Integration
IDP Production

It is mandatory in a subsequent step to manually set the "Secure Hash Algorithm" to SHA-1.

Testing Authentication via SuisseID IDP

Authentication via the SuisseID IDP can be tested via an AD FS application at URL https://<ADFS_FQDN>;/adfs/ls/IdpInitiatedSignon.aspx - we assume the ADFS hostname to be

  1. Point a browser to the above URL, for example and select “Sign in to this site”
  2. Select the previously configured SuisseID IDP (Production) as the server to login with
  3. You are redirected to the SuisseID IDP and required to login with a valid SuisseID or the corresponding Mobile Service credentials.
  4. Upon successful authentication at the SuisseID IDP, you are re-directed back to the test application which states “You are signed in.”.




SuisseID est une marque déposée de SwissSign SA.