Working with an ADFS Proxy server.
Friedrich Clausen
fred at derf.nl
Wed Aug 15 11:57:31 EDT 2012
Hello,
This is a follow-up to my previous question at
http://goo.gl/mwf9a
but to summarise we are interoperating with a Microsoft ADFS
installation. After more discussion with the ADFS administrator I have
come to understand that they use an ADFS proxy that speaks to the
"IdP" (account federation server) on behalf of the user. So it looks
like this
Internet -> ADFS proxy (sso.a.example.com) -> firewall -> ADFS IdP
(adfs.a.example.com)
In the full request [1] we use the "HTTP-POST" and "HTTP-Redirect"
elements from the client provided metadata to determine where to send
the request from the user's browser. The SP then sets the
"Destination" XML attribute in the SAML AuthnRequest to the value
contained in those elements.
The problem is that the ADFS proxy (sso.a.example.com) requires the
"Destination" XML attribute be set to "adfs.a.example.com". So if I
set the metadata to use "adfs.a.example.com" then the "Destination"
attribute is correct but the user's browser tries to POST to
adfs.a.example.com which is not reachable from the Internet at large.
Conversely, if I set the metadata to use "sso.a.example.com" for the
HTTP Location URLs then the browser gets redirected to the IdP (aka
account federation server) but upon login and redirection the proxy
sends back an error to the SP
SAML response contained an error.
Error from identity provider:
Status: urn:oasis:names:tc:SAML:2.0:status:Responder
The ADFS administrators says that the HTTP POST/Redirect URLs need to
be set to sso.a.example.com while the "Destination" AuthnRequest
attribute must be set to "adfs.a.example.com". How can I achieve this?
How have other people interoperated with ADFS proxies?
As always, thanks!
Fred.
[1] http://paste.ubuntu.com/1139312/
More information about the users
mailing list