ADFS Shibboleth question
Chris Phillips
Chris.Phillips at canarie.ca
Thu Apr 3 10:49:28 EDT 2014
If you are replacing your Shib IdP with ADFS as the IdP and answering SAML requests, maybe, but I could see a lot of heartache managing metadata within ADFS and doing claims mapping.
See adfstoolkit.org for more in this vein and related comments from Scott a few moments ago.
It's plausible(and debatable) to have Shibboleth as the IdP on IIS and defer to ADFS for sign on (like Shibboleth can do with CAS) but the Shibboleth software would need more than just a token, it would need the unique identifier to look up the user in Shibboleth to be able to handle other Shibboleth protected services and Office 365 would just use ADFS.
If you wanted to transition away from CAS to this, it's possible - at the expense of any CAS'ified apps will need to be converted to SAML or ADFS.
I would encourage you to have the consultant diagram it out his/her recommendations in detail with the sign on use cases exercised with it.
You could always use the SAML capabilities of Office365[1] and skip ADFS entirely, but I suspect that Lync and Office Subscriptions may not work as expected(well, likely not at all in which case you would need ADFS)
Chris.
[1] http://blogs.office.com/2014/03/06/announcing-support-for-saml-2-0-federation-with-office-365
From: <Qian>, Yi <yqian at ku.edu<mailto:yqian at ku.edu>>
Reply-To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Date: Thursday, 3 April, 2014 10:30 AM
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: ADFS Shibboleth question
Hello,
The University of Kansas using Shibboleth IdP to authenticate our users, now we are adding ADFS as IdP to authenticate user for o365, the consultant from MS told us that after ADFS success authentication, shib IdP can obtain the token issued by ADFS, so user does not require login to shib protected resources.
I think this must be some piece missing, should there is something like SP or some type replying party sit in front of shib IdP to intercept this token? But I do not know how
Thanks for the help
Yi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140403/6cab16e7/attachment-0001.html
More information about the users
mailing list