Working with an ADFS Proxy server.

Friedrich Clausen fred at
Wed Aug 15 11:57:31 EDT 2012


This is a follow-up to my previous question at

but to summarise we are interoperating with a Microsoft ADFS
installation. After more discussion with the ADFS administrator I have
come to understand that they use an ADFS proxy that speaks to the
"IdP" (account federation server) on behalf of the user. So it looks
like this

Internet -> ADFS proxy ( -> firewall -> ADFS IdP

In the full request [1] we use the "HTTP-POST" and "HTTP-Redirect"
elements from the client provided metadata to determine where to send
the request from the user's browser. The SP then sets the
"Destination" XML attribute in the SAML AuthnRequest to the value
contained in those elements.

The problem is that the ADFS proxy ( requires the
"Destination" XML attribute be set to "". So if I
set the metadata to use "" then the "Destination"
attribute is correct but the user's browser tries to POST to which is not reachable from the Internet at large.

Conversely, if I set the metadata to use "" for the
HTTP Location URLs then the browser gets redirected to the IdP (aka
account federation server) but upon login and redirection the proxy
sends back an error to the SP

SAML response contained an error.
Error from identity provider:
Status: urn:oasis:names:tc:SAML:2.0:status:Responder

The ADFS administrators says that the HTTP POST/Redirect URLs need to
be set to while the "Destination" AuthnRequest
attribute must be set to "". How can I achieve this?
How have other people interoperated with ADFS proxies?

As always, thanks!



More information about the users mailing list