ADFS, SharePoint, and InCommon?
Tom Scavo
trscavo at gmail.com
Sat Nov 3 12:56:36 EDT 2012
On Fri, Nov 2, 2012 at 4:28 PM, Albert Lunde
<albert-lunde at northwestern.edu> wrote:
>
> The
> cookbook examples seem to describe tweaking both Shibboleth and ADFS
> configurations, but we have no control of remote InCommon Shibboleth
> IdPs, and I'm not sure that the metadata for an ADFS/SharePoint web site
> would be orthodox enough to publish via InCommon.
The problem is not so much publishing metadata for the SP (since
InCommon completely controls the format and content of that metadata),
but rather how your SP will 1) refresh metadata, and 2) discover IdPs.
The two problems are related.
AFAIK, AD FS 2.0 will not consume InCommon metadata (or any metadata
wrapped with an <md:EntitiesDescriptor> element) so you'll need a
workaround for that. There is a 3rd-party script floating around
somewhere but I haven't tried it. I'd be interested in knowing how you
ultimately solve this problem.
Once the workaround is in place, you may get discovery for free, but
if that too requires a workaround, a centralized discovery service
might help. InCommon provides one but you may wish to deploy a
different DS (such as the Shibboleth DS) to service AD FS.
Just some thoughts for your consideration :-) Let me know how it turns out.
Tom
More information about the users
mailing list