Working with an ADFS Proxy server.

Friedrich Clausen fred at derf.nl
Thu Aug 16 10:33:46 EDT 2012 

Hi All,

Thanks for the information! I understand why it can't work as I
previously described. There is hope however - Yannick, that technet
article was especially useful and I will be asking the customer to
make the requisite DNS changes for this to work.

>From what understand of the technet article [1] (referencing my
previous examples) is that there need only be one DNS record,
adfs.a.example.com. This would resolve differently depending on the
source location of the request; e.g. an internal lookup will resolve
an internal federation server IP whereas an external lookup will
resolve the public IP of the ADFS proxy. I believe this is similar to
the ISC Bind name server's "views" but in a Windows DNS environment.

Cheers,

Fred.

[1] http://technet.microsoft.com/en-us/library/dd807055(v=ws.10).aspx

On Wed, Aug 15, 2012 at 8:38 PM, Yannick Béot <yannick.beot at gmail.com> wrote:
> Hi,
>
> The only way to make it work is to have the same URL for the Proxy and the
> back-end server. You have to play on DNS to make it work
> Everything is explained there:
> http://technet.microsoft.com/en-us/library/dd807055(v=ws.10).aspx
>
> Yannick
>
>
> On Wed, Aug 15, 2012 at 7:38 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
>>
>> >The problem is that the ADFS proxy (sso.a.example.com) requires the
>> >"Destination" XML attribute be set to "adfs.a.example.com".
>>
>> That's a bug. The analagous scenario is a load balancer doing SSL
>> offloading. Even though the back end server is at a different physical
>> location, it must pretend to be the virtual location of the load balancer
>> when it performs such comparisons. People screw this up with the SP and
>> IdP all the time, because it's the web server's responsibility to do these
>> adjustments.
>>
>> Note that IIS does not support those adjustments either, which is probably
>> relevant to an ADFS situation.
>>
>> If MS supports a proxied scenario but does not support virtualizing the
>> back end, you can't make it work.
>>
>> >The ADFS administrators says that the HTTP POST/Redirect URLs need to
>> >be set to sso.a.example.com while the "Destination" AuthnRequest
>> >attribute must be set to "adfs.a.example.com". How can I achieve this?
>>
>> You can't. Well, you could change the code (or add plugins that duplicate
>> but tweak this value), but I'm ignoring that option.
>>
>> I could imagine some very ugly hacks such as an option to override the
>> Destination value based on some kind of mapping table, but that's not
>> implemented now.
>>
>> >How have other people interoperated with ADFS proxies?
>>
>> I would imagine they have not. A page to document things that don't work,
>> or how to work around issues is here:
>>
>> https://wiki.shibboleth.net/confluence/display/SHIB2/MicrosoftInterop
>>
>> -- Scott
>>
>> --
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net

More information about the users mailing list