Working with an ADFS Proxy server.
fred at derf.nl
Thu Aug 16 10:33:46 EDT 2012
Thanks for the information! I understand why it can't work as I
previously described. There is hope however - Yannick, that technet
article was especially useful and I will be asking the customer to
make the requisite DNS changes for this to work.
>From what understand of the technet article  (referencing my
previous examples) is that there need only be one DNS record,
adfs.a.example.com. This would resolve differently depending on the
source location of the request; e.g. an internal lookup will resolve
an internal federation server IP whereas an external lookup will
resolve the public IP of the ADFS proxy. I believe this is similar to
the ISC Bind name server's "views" but in a Windows DNS environment.
On Wed, Aug 15, 2012 at 8:38 PM, Yannick Béot <yannick.beot at gmail.com> wrote:
> The only way to make it work is to have the same URL for the Proxy and the
> back-end server. You have to play on DNS to make it work
> Everything is explained there:
> On Wed, Aug 15, 2012 at 7:38 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
>> >The problem is that the ADFS proxy (sso.a.example.com) requires the
>> >"Destination" XML attribute be set to "adfs.a.example.com".
>> That's a bug. The analagous scenario is a load balancer doing SSL
>> offloading. Even though the back end server is at a different physical
>> location, it must pretend to be the virtual location of the load balancer
>> when it performs such comparisons. People screw this up with the SP and
>> IdP all the time, because it's the web server's responsibility to do these
>> Note that IIS does not support those adjustments either, which is probably
>> relevant to an ADFS situation.
>> If MS supports a proxied scenario but does not support virtualizing the
>> back end, you can't make it work.
>> >The ADFS administrators says that the HTTP POST/Redirect URLs need to
>> >be set to sso.a.example.com while the "Destination" AuthnRequest
>> >attribute must be set to "adfs.a.example.com". How can I achieve this?
>> You can't. Well, you could change the code (or add plugins that duplicate
>> but tweak this value), but I'm ignoring that option.
>> I could imagine some very ugly hacks such as an option to override the
>> Destination value based on some kind of mapping table, but that's not
>> implemented now.
>> >How have other people interoperated with ADFS proxies?
>> I would imagine they have not. A page to document things that don't work,
>> or how to work around issues is here:
>> -- Scott
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
More information about the users