Working with an ADFS Proxy server.

Yannick Béot yannick.beot at gmail.com
Wed Aug 15 14:38:39 EDT 2012 

Hi,

The only way to make it work is to have the same URL for the Proxy and the
back-end server. You have to play on DNS to make it work
Everything is explained there:
http://technet.microsoft.com/en-us/library/dd807055(v=ws.10).aspx

Yannick

On Wed, Aug 15, 2012 at 7:38 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:

> >The problem is that the ADFS proxy (sso.a.example.com) requires the
> >"Destination" XML attribute be set to "adfs.a.example.com".
>
> That's a bug. The analagous scenario is a load balancer doing SSL
> offloading. Even though the back end server is at a different physical
> location, it must pretend to be the virtual location of the load balancer
> when it performs such comparisons. People screw this up with the SP and
> IdP all the time, because it's the web server's responsibility to do these
> adjustments.
>
> Note that IIS does not support those adjustments either, which is probably
> relevant to an ADFS situation.
>
> If MS supports a proxied scenario but does not support virtualizing the
> back end, you can't make it work.
>
> >The ADFS administrators says that the HTTP POST/Redirect URLs need to
> >be set to sso.a.example.com while the "Destination" AuthnRequest
> >attribute must be set to "adfs.a.example.com". How can I achieve this?
>
> You can't. Well, you could change the code (or add plugins that duplicate
> but tweak this value), but I'm ignoring that option.
>
> I could imagine some very ugly hacks such as an option to override the
> Destination value based on some kind of mapping table, but that's not
> implemented now.
>
> >How have other people interoperated with ADFS proxies?
>
> I would imagine they have not. A page to document things that don't work,
> or how to work around issues is here:
>
> https://wiki.shibboleth.net/confluence/display/SHIB2/MicrosoftInterop
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120815/3c49cdd3/attachment-0001.html

More information about the users mailing list