Fwd: Working with an ADFS Proxy server.

Keith Hazelton hazelton at wisc.edu
Wed Aug 15 14:32:37 EDT 2012 

FYI, for comment.   --KeithH
_______
Begin forwarded message:

> From: Ryan Larscheidt <larscheidt at doit.wisc.edu>
> Date: August 15, 2012 1:12:02 PM CDT
> To: Steve Devoti <devoti at wisc.edu>, Keith Hazelton <hazelton at wisc.edu>
> Cc: Access Management Developers <am-dev at lists.wisc.edu>
> Subject: Re: Working with an ADFS Proxy server.
> 
> In July, Microsoft announced that they natively support SAML2 and ECP, so there's no longer any reason to try to glue Shibboleth and ADFS together.  http://technet.microsoft.com/en-us/library/jj205456.aspx
> 
> Depending on what policy decisions are made, we'll (probably) either go full Microsoft (AD, ADFS, DirSync, etc), or we'll use SAML2 and ECP for authentication and provision accounts with FIM.
> 
> Thanks,
> Ryan
> 
> On Aug 15, 2012, at 12:57 , Steve Devoti wrote:
> 
>> 
>> 
>> From: Keith Hazelton [mailto:hazelton at wisc.edu] 
>> Sent: Wednesday, August 15, 2012 12:45 PM
>> To: Steve Devoti; Joe Tarter
>> Subject: Fwd: Working with an ADFS Proxy server.
>> 
>> Possibly relevant to the Office 365 project if solutions involve MS ADFS.    --keith
>> __________
>> Begin forwarded message:
>> 
>> 
>> From: "Cantor, Scott" <cantor.2 at osu.edu>
>> Date: August 15, 2012 12:38:20 PM CDT
>> To: Shib Users <users at shibboleth.net>
>> Subject: Re: Working with an ADFS Proxy server.
>> Reply-To: Shib Users <users at shibboleth.net>
>> 
>> The problem is that the ADFS proxy (sso.a.example.com) requires the
>> "Destination" XML attribute be set to "adfs.a.example.com".
>> 
>> That's a bug. The analagous scenario is a load balancer doing SSL
>> offloading. Even though the back end server is at a different physical
>> location, it must pretend to be the virtual location of the load balancer
>> when it performs such comparisons. People screw this up with the SP and
>> IdP all the time, because it's the web server's responsibility to do these
>> adjustments.
>> 
>> Note that IIS does not support those adjustments either, which is probably
>> relevant to an ADFS situation.
>> 
>> If MS supports a proxied scenario but does not support virtualizing the
>> back end, you can't make it work.
>> 
>> 
>> The ADFS administrators says that the HTTP POST/Redirect URLs need to
>> be set to sso.a.example.com while the "Destination" AuthnRequest
>> attribute must be set to "adfs.a.example.com". How can I achieve this?
>> 
>> You can't. Well, you could change the code (or add plugins that duplicate
>> but tweak this value), but I'm ignoring that option.
>> 
>> I could imagine some very ugly hacks such as an option to override the
>> Destination value based on some kind of mapping table, but that's not
>> implemented now.
>> 
>> 
>> How have other people interoperated with ADFS proxies?
>> 
>> I would imagine they have not. A page to document things that don't work,
>> or how to work around issues is here:
>> 
>> https://wiki.shibboleth.net/confluence/display/SHIB2/MicrosoftInterop
>> 
>> -- Scott
>> 
>> --
>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120815/b9d1771d/attachment.html

More information about the users mailing list