Working with an ADFS Proxy server.

Friedrich Clausen fred at
Fri Aug 17 09:32:23 EDT 2012

Hi Yannick, All,

Just to follow up in case someone reads the archives one day and wants
to know the conclusion. That MS Technet article [1] about DNS changes
was key; by asking the customer to set up split DNS, as described in
the article, we can now complete the transaction and are returned to
the SP.

Now I am just trying to map the attributes properly but that might be
the stuff of another post if I get stuck. First I'll read all there is
to read on the Wiki interop page.




On Thu, Aug 16, 2012 at 4:33 PM, Friedrich Clausen <fred at> wrote:
> Hi All,
> Thanks for the information! I understand why it can't work as I
> previously described. There is hope however - Yannick, that technet
> article was especially useful and I will be asking the customer to
> make the requisite DNS changes for this to work.
> From what understand of the technet article [1] (referencing my
> previous examples) is that there need only be one DNS record,
> This would resolve differently depending on the
> source location of the request; e.g. an internal lookup will resolve
> an internal federation server IP whereas an external lookup will
> resolve the public IP of the ADFS proxy. I believe this is similar to
> the ISC Bind name server's "views" but in a Windows DNS environment.
> Cheers,
> Fred.
> [1]
> On Wed, Aug 15, 2012 at 8:38 PM, Yannick Béot <yannick.beot at> wrote:
>> Hi,
>> The only way to make it work is to have the same URL for the Proxy and the
>> back-end server. You have to play on DNS to make it work
>> Everything is explained there:
>> Yannick
>> On Wed, Aug 15, 2012 at 7:38 PM, Cantor, Scott <cantor.2 at> wrote:
>>> >The problem is that the ADFS proxy ( requires the
>>> >"Destination" XML attribute be set to "".
>>> That's a bug. The analagous scenario is a load balancer doing SSL
>>> offloading. Even though the back end server is at a different physical
>>> location, it must pretend to be the virtual location of the load balancer
>>> when it performs such comparisons. People screw this up with the SP and
>>> IdP all the time, because it's the web server's responsibility to do these
>>> adjustments.
>>> Note that IIS does not support those adjustments either, which is probably
>>> relevant to an ADFS situation.
>>> If MS supports a proxied scenario but does not support virtualizing the
>>> back end, you can't make it work.
>>> >The ADFS administrators says that the HTTP POST/Redirect URLs need to
>>> >be set to while the "Destination" AuthnRequest
>>> >attribute must be set to "". How can I achieve this?
>>> You can't. Well, you could change the code (or add plugins that duplicate
>>> but tweak this value), but I'm ignoring that option.
>>> I could imagine some very ugly hacks such as an option to override the
>>> Destination value based on some kind of mapping table, but that's not
>>> implemented now.
>>> >How have other people interoperated with ADFS proxies?
>>> I would imagine they have not. A page to document things that don't work,
>>> or how to work around issues is here:
>>> -- Scott
>>> --
>>> To unsubscribe from this list send an email to
>>> users-unsubscribe at
>> --
>> To unsubscribe from this list send an email to
>> users-unsubscribe at

More information about the users mailing list