ADFS integration

Misagh Moayyed mmoayyed at
Wed Aug 19 16:29:32 EDT 2015


We have used the following guide a number of times to integrate the Idp
and ADFS:

It's not a trivial tasks, but it has worked perfectly fine. In certain
cases, we even had Idp authentication delegated to CAS via the shib-cas
authenticator plugin, and that also worked out really well. If there is a
spot on the wiki, I can document what we did and have you review it. 

The only issue we ran into was that the built-in "IdP" in ADFS is Active
Directory, and you can't turn it off. Once you register the IdP with ADFS
as a claims provider, you get to see a discovery-like page with IdP and
Active Directory listed both. To get around it, we ended up modifying the
.aspx ADFS pages to make sure the IdP was chosen automatically.

Note that this is with ADFS2. I am told that 3 makes this sort of thing a
tad easier, though you do lose the option of modifying aspx files that
would be buried in DLLs as resources should you ever need them. 

> -----Original Message-----
> From: users [mailto:users-bounces at] On Behalf Of Paul B.
> Henson
> Sent: Wednesday, August 19, 2015 1:19 PM
> To: Shib Users <users at>
> Subject: ADFS integration
> So we are in the same boat as I assume many other people reliant on
> Microsoft services are, with both a shibboleth idp and an ADFS
> The powers that be are unhappy that they have to sign in separately to
> Office 365 etc, and want to integrate/consolidate authentication for all
> of our single sign-on applications.
> In an ideal world, that would mean switching all of the proprietary
> Microsoft services to use our nice open standards-based and freely
> available shibboleth deployment. Unfortunately, although Microsoft has
> "improved" their ability to use a shibboleth idp to authenticate their
> online services, according to our Windows guys it is not officially
> "supported", and they refuse to do it.
> That leaves us with somehow trying to integrate our shibboleth idp and
> ADFS deployment. One of our application guys pointed out some work that
> Unicon has done in that department:
> That's not going to work for a number of reasons; from a design
> perspective, there is absolutely no way I'm going to have all of our
> Microsoft services reliant on Microsoft proprietary ADFS, which is how
> first option (delegating  CAS authentication to ADFS) works. The second
> option (delegating ADFS to CAS) would be more promising, except it
> requires clearpass to be enabled  on the CAS server, which I don't want
> do. And finally, we are tentatively planning on migrating our CAS
> to idpv3 when we upgrade, and neither of those would work in that
> anyway.
> One of our Windows guys pointed out:
> It sounds like this would allow an end-user to hit ADFS, then
> against a shibboleth idp, and continue on to access the ADFS
> application without explicitly authenticating to ADFS, which is exactly
> what I would want. However, it seems there is some extra interactivity
> the process, where the user must select on the ADFS landing page that
> want to authenticate to shibboleth instead of ADFS? And to avoid that,
> would need to use an SSL offloading load balancer which injects cookies
> into the request? We don't currently do SSL offloading, and would prefer
> not to.
> So, are there any other methods of achieving ADFS/shibboleth integration
> that we haven't happened upon? Is there any way when using the wiki
> to make ADFS automatically delegate authentication to the shibboleth IDP
> without munging cookies in transit? Via preferably some local IIS
> configuration or whatnot?
> Thanks much...
> --
> Paul B. Henson  |  (909) 979-6361  |
> Operating Systems and Network Analyst  |  henson at California
> Polytechnic University  |  Pomona CA 91768
> --
> To unsubscribe from this list send an email to users-
> unsubscribe at

More information about the users mailing list