ADFS integration
Paul B. Henson
henson at cpp.edu
Wed Aug 19 16:18:31 EDT 2015
So we are in the same boat as I assume many other people reliant on Microsoft services are, with both a shibboleth idp and an ADFS deployment. The powers that be are unhappy that they have to sign in separately to Office 365 etc, and want to integrate/consolidate authentication for all of our single sign-on applications.
In an ideal world, that would mean switching all of the proprietary Microsoft services to use our nice open standards-based and freely available shibboleth deployment. Unfortunately, although Microsoft has "improved" their ability to use a shibboleth idp to authenticate their online services, according to our Windows guys it is not officially "supported", and they refuse to do it.
That leaves us with somehow trying to integrate our shibboleth idp and our ADFS deployment. One of our application guys pointed out some work that Unicon has done in that department:
https://github.com/Unicon/cas-adfs-integration/wiki
That's not going to work for a number of reasons; from a design perspective, there is absolutely no way I'm going to have all of our non-Microsoft services reliant on Microsoft proprietary ADFS, which is how the first option (delegating CAS authentication to ADFS) works. The second option (delegating ADFS to CAS) would be more promising, except it requires clearpass to be enabled on the CAS server, which I don't want to do. And finally, we are tentatively planning on migrating our CAS clients to idpv3 when we upgrade, and neither of those would work in that scenario anyway.
One of our Windows guys pointed out:
https://wiki.shibboleth.net/confluence/display/SHIB2/MicrosoftInterop
It sounds like this would allow an end-user to hit ADFS, then authenticate against a shibboleth idp, and continue on to access the ADFS authenticated application without explicitly authenticating to ADFS, which is exactly what I would want. However, it seems there is some extra interactivity in the process, where the user must select on the ADFS landing page that they want to authenticate to shibboleth instead of ADFS? And to avoid that, you would need to use an SSL offloading load balancer which injects cookies into the request? We don't currently do SSL offloading, and would prefer not to.
So, are there any other methods of achieving ADFS/shibboleth integration that we haven't happened upon? Is there any way when using the wiki method to make ADFS automatically delegate authentication to the shibboleth IDP without munging cookies in transit? Via preferably some local IIS configuration or whatnot?
Thanks much...
--
Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/
Operating Systems and Network Analyst | henson at cpp.edu
California State Polytechnic University | Pomona CA 91768
More information about the users
mailing list