Fwd: Working with an ADFS Proxy server.
hazelton at wisc.edu
Wed Aug 15 14:32:37 EDT 2012
FYI, for comment. --KeithH
Begin forwarded message:
> From: Ryan Larscheidt <larscheidt at doit.wisc.edu>
> Date: August 15, 2012 1:12:02 PM CDT
> To: Steve Devoti <devoti at wisc.edu>, Keith Hazelton <hazelton at wisc.edu>
> Cc: Access Management Developers <am-dev at lists.wisc.edu>
> Subject: Re: Working with an ADFS Proxy server.
> In July, Microsoft announced that they natively support SAML2 and ECP, so there's no longer any reason to try to glue Shibboleth and ADFS together. http://technet.microsoft.com/en-us/library/jj205456.aspx
> Depending on what policy decisions are made, we'll (probably) either go full Microsoft (AD, ADFS, DirSync, etc), or we'll use SAML2 and ECP for authentication and provision accounts with FIM.
> On Aug 15, 2012, at 12:57 , Steve Devoti wrote:
>> From: Keith Hazelton [mailto:hazelton at wisc.edu]
>> Sent: Wednesday, August 15, 2012 12:45 PM
>> To: Steve Devoti; Joe Tarter
>> Subject: Fwd: Working with an ADFS Proxy server.
>> Possibly relevant to the Office 365 project if solutions involve MS ADFS. --keith
>> Begin forwarded message:
>> From: "Cantor, Scott" <cantor.2 at osu.edu>
>> Date: August 15, 2012 12:38:20 PM CDT
>> To: Shib Users <users at shibboleth.net>
>> Subject: Re: Working with an ADFS Proxy server.
>> Reply-To: Shib Users <users at shibboleth.net>
>> The problem is that the ADFS proxy (sso.a.example.com) requires the
>> "Destination" XML attribute be set to "adfs.a.example.com".
>> That's a bug. The analagous scenario is a load balancer doing SSL
>> offloading. Even though the back end server is at a different physical
>> location, it must pretend to be the virtual location of the load balancer
>> when it performs such comparisons. People screw this up with the SP and
>> IdP all the time, because it's the web server's responsibility to do these
>> Note that IIS does not support those adjustments either, which is probably
>> relevant to an ADFS situation.
>> If MS supports a proxied scenario but does not support virtualizing the
>> back end, you can't make it work.
>> The ADFS administrators says that the HTTP POST/Redirect URLs need to
>> be set to sso.a.example.com while the "Destination" AuthnRequest
>> attribute must be set to "adfs.a.example.com". How can I achieve this?
>> You can't. Well, you could change the code (or add plugins that duplicate
>> but tweak this value), but I'm ignoring that option.
>> I could imagine some very ugly hacks such as an option to override the
>> Destination value based on some kind of mapping table, but that's not
>> implemented now.
>> How have other people interoperated with ADFS proxies?
>> I would imagine they have not. A page to document things that don't work,
>> or how to work around issues is here:
>> -- Scott
>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users