Joining up Shibboleth, AD and ADFS
Dave Perry
Dave.Perry at hull-college.ac.uk
Wed Jul 20 09:05:53 EDT 2016
Thanks for the thoughts Peter. I appreciate the issues with integrating with ADFS, but we as an organisation are pushing Office 365 so we're stuck with it (IT would not look kindly if I said to bin ADFS). I don't dislike O365, just that it complicates our mix.
I don't have AD admin rights to do the Kerberos integration myself, nor the slightly deeper AD knowledge the documentation steps suggests is required.
If, by 'or by making MS-ADFS a downstream system to the Shib IDP', you are referring to what I asked (user hits shibboleth, if they have no session get them to authenticate to ADFS whether on or off site) then that I think is the thing that will (to my mind) make this goal possible. Documentation on that I have not been able to find thus far.
Dave
_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group
Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930
* Need a fast reply? Try elearning at hull-college.ac.uk *
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Peter Schober
Sent: 20 July 2016 13:26
To: users at shibboleth.net
Subject: Re: Joining up Shibboleth, AD and ADFS
* Dave Perry <Dave.Perry at hull-college.ac.uk> [2016-07-20 13:21]:
> The ingredients for this:
>
> - AD for desktop signin
> - ADFS allowing login to Office 365. Currently SSOs when on an AD-domain PC/laptop
> - Moodle logins (web based login form off site to AD, AD SSO onsite)
> - Shibboleth v3 (uses our AD DCs as its LDAP source) for eResources (and eventually Google Apps again)
There are many ways to do that, of course, and you're asking on the Shibboleth list so be prepared for potential bias, too.
I'm pretty sure some people on this list have used the Shibboleth IDP for all of the above, incl Google Apps, Microsoft Office 365whatever, Moodle, e-resources, etc., but personally I can't speak to the dis-/advantages of integrating Microsoft services when not using Microsoft products or protocols. (There's usually a catch, and by
design.)
The Shib IDP can make use of Kerberos SSO from the desktop:
https://wiki.refeds.org/display/CODE/Entity+Category+Definition%3A+Data+protection+Code+of+Conduct
and fall back to forms-based authentication off-site and from non-managed computers.
So much of the above is possible without ever using MS-ADFS, or by making MS-ADFS a downstream system to the Shib IDP.
The inverse (making the Shib IDP into a gateway/proxy downstream of
MS-ADFS) is also possible, though requires an extra SAML SP on top of the IDP, plus Scripted attribute definitions to pull out the attributes from the SP and re-add them into the IDP for passing them on to SAML SPs further downstream.
-peter
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
**********************************************************************
This message is sent in confidence for the addressee
only. It may contain confidential or sensitive
information. The contents are not to be disclosed
to anyone other than the addressee. Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission. Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College. Nothing in this
message should be construed as creating a contract.
Hull College Group owns the email infrastructure, including the contents.
Hull College Group is committed to sustainability, please reflect before printing this email.
**********************************************************************
TEXT
More information about the users
mailing list