Working with an ADFS Proxy server.
fred at derf.nl
Wed Aug 15 11:57:31 EDT 2012
This is a follow-up to my previous question at
but to summarise we are interoperating with a Microsoft ADFS
installation. After more discussion with the ADFS administrator I have
come to understand that they use an ADFS proxy that speaks to the
"IdP" (account federation server) on behalf of the user. So it looks
Internet -> ADFS proxy (sso.a.example.com) -> firewall -> ADFS IdP
In the full request  we use the "HTTP-POST" and "HTTP-Redirect"
elements from the client provided metadata to determine where to send
the request from the user's browser. The SP then sets the
"Destination" XML attribute in the SAML AuthnRequest to the value
contained in those elements.
The problem is that the ADFS proxy (sso.a.example.com) requires the
"Destination" XML attribute be set to "adfs.a.example.com". So if I
set the metadata to use "adfs.a.example.com" then the "Destination"
attribute is correct but the user's browser tries to POST to
adfs.a.example.com which is not reachable from the Internet at large.
Conversely, if I set the metadata to use "sso.a.example.com" for the
HTTP Location URLs then the browser gets redirected to the IdP (aka
account federation server) but upon login and redirection the proxy
sends back an error to the SP
SAML response contained an error.
Error from identity provider:
The ADFS administrators says that the HTTP POST/Redirect URLs need to
be set to sso.a.example.com while the "Destination" AuthnRequest
attribute must be set to "adfs.a.example.com". How can I achieve this?
How have other people interoperated with ADFS proxies?
As always, thanks!
More information about the users