Microsoft Azure + AD FS 3 + Shibboleth IdP v3

Michael A Grady mgrady at unicon.net
Tue Feb 23 15:05:35 EST 2016


> On Feb 23, 2016, at 1:42 PM, Cantor, Scott <cantor.2 at OSU.EDU> wrote:
> 
>> But really I can't see it being that different to setup than the notes here:
>> https://wiki.shibboleth.net/confluence/display/SHIB2/MicrosoftInterop
> 
> Most of that is ADFSv2 era information, I couldn't say if anything has changed.
> 
>> Most of the configuration in that doco was on the ADFS side - not the
>> Shibboleth side (shibboleth only needed metadata and attribute-release). I
>> believe it's still the same SAML version between IdPv2 and v3 - so that should
>> not cause problems.
> 
> It depends if you're trying to make MS understand "typical" SAML defaults from Shibboleth or have Shibboleth provide Microsoft's "creative" choices. But otherwise no, there's nothing significantly new with Shibboleth.
> 
> Either way, the log that was posted is basically just the IdP issuing a response to the ADFS system. If that's "wrong" then you have to know what ADFS thinks is wrong with it to go any further.
> 
> -- Scott
> 

The config in ADFS is really not different, from what I've seen,  from ADFSv2 to ADFSv3, in terms of telling it about the IdP (giving it metadata) and putting in Claims config. The biggest change is that IIS/.asp scripts are no longer in the picture for ADFSv3, so what you have available to tweak as far as avoiding the ADFS discovery page is more limited. Pretty much need a load balancer that can inject a cookie inbound to ADFS (or perhaps a proxy in front of ADFS that does the same thing.)

--
Michael A. Grady
IAM Architect, Unicon, Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://shibboleth.net/pipermail/users/attachments/20160223/a0ee5add/attachment-0001.sig>


More information about the users mailing list