interop with ADFS 2
paul.hethmon at clareitysecurity.com
Thu Jan 19 15:05:58 GMT 2012
Thanks for the feedback. Fortunately I'm not the one using ADFS. I just
run the IdP that they need to connect to. It's just interesting to me that
ADFS acting as an SP will refuse to send the browser to an HTTP only IdP
endpoint. I can see them requiring SSL on their side, since the person
running the ADFS site would have that level of control, but requiring the
partner IdP to use it is just a bug.
While I would like to run SSL for my IdP's (and always offer it as a
choice to my customers), the fact is that they are more concerned with
their end users calling them about the security warning pop-ups when they
would leave the SSL protected IdP for the non-SSL protected SP. That's
just the majority use case in the real estate MLS world.
>Hi Paul, The simply answer to your question is what you were told about
>ADFSv2 only accepting ssl/tls connections is true for all sides of >the
>equation - IDP, SP & attribure store. So unless the endpoints can enable
>SSL you will need to get creative with your architecture to use >ADFS.
>>So I've got a new SP that is using ADFS 2 for SAML support. They are
>>telling me that ADFS 2 will not interoperate with an IdP unless that IdP
>>uses SSL. So if the IdP only supports ACS locations with "http", they are
>>saying ADFS refuses to work.
>>I've read what I can find and while many examples use "https" endpoints,
>>can't find anything which says its required. Does anyone have any
>>knowledge of whether ADFS can use http only?
More information about the users