Working with an ADFS Proxy server.

Friedrich Clausen fred at
Thu Aug 16 10:33:46 EDT 2012

Hi All,

Thanks for the information! I understand why it can't work as I
previously described. There is hope however - Yannick, that technet
article was especially useful and I will be asking the customer to
make the requisite DNS changes for this to work.

>From what understand of the technet article [1] (referencing my
previous examples) is that there need only be one DNS record, This would resolve differently depending on the
source location of the request; e.g. an internal lookup will resolve
an internal federation server IP whereas an external lookup will
resolve the public IP of the ADFS proxy. I believe this is similar to
the ISC Bind name server's "views" but in a Windows DNS environment.




On Wed, Aug 15, 2012 at 8:38 PM, Yannick Béot <yannick.beot at> wrote:
> Hi,
> The only way to make it work is to have the same URL for the Proxy and the
> back-end server. You have to play on DNS to make it work
> Everything is explained there:
> Yannick
> On Wed, Aug 15, 2012 at 7:38 PM, Cantor, Scott <cantor.2 at> wrote:
>> >The problem is that the ADFS proxy ( requires the
>> >"Destination" XML attribute be set to "".
>> That's a bug. The analagous scenario is a load balancer doing SSL
>> offloading. Even though the back end server is at a different physical
>> location, it must pretend to be the virtual location of the load balancer
>> when it performs such comparisons. People screw this up with the SP and
>> IdP all the time, because it's the web server's responsibility to do these
>> adjustments.
>> Note that IIS does not support those adjustments either, which is probably
>> relevant to an ADFS situation.
>> If MS supports a proxied scenario but does not support virtualizing the
>> back end, you can't make it work.
>> >The ADFS administrators says that the HTTP POST/Redirect URLs need to
>> >be set to while the "Destination" AuthnRequest
>> >attribute must be set to "". How can I achieve this?
>> You can't. Well, you could change the code (or add plugins that duplicate
>> but tweak this value), but I'm ignoring that option.
>> I could imagine some very ugly hacks such as an option to override the
>> Destination value based on some kind of mapping table, but that's not
>> implemented now.
>> >How have other people interoperated with ADFS proxies?
>> I would imagine they have not. A page to document things that don't work,
>> or how to work around issues is here:
>> -- Scott
>> --
>> To unsubscribe from this list send an email to
>> users-unsubscribe at
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at

More information about the users mailing list