Azure AD without ADFS

Peter Schober peter.schober at univie.ac.at
Tue May 2 12:40:52 EDT 2017


* Admin IFMSA-Sweden <admin at ifmsa.se> [2017-05-02 18:27]:
> Can I ask another question?

If you manage to ask it in terms that people not speaking M$ fluently
can understand.

> Microsoft ACS supports multiple ADFS (WS compatible STS) but not
> SAML2 and has ”Home Realm Discovery”.

No idea what "Microsoft ACS" is, but don't bother to explain, this
just reinforces my point that you should be asking about MS products
in some MS forum.

> Azure AD supports ADFS and SAML2 - is there any option where
> Shibboleth IdPs can be federated with Azure AD (without our own
> ADFS), and eventually add Shibboleth federation metadata to Azure
> AD? As mentioned, we don’t have our own ADFS.
> 
> What do you think about interoperability between Azure AD and Shibboleth?
> 
> Am I asking a wrong question? Should I think this another way?

As I explained before, Shibboleth implements published standard
protocols (SAML 2.0 is most relevant here). With that you can replace
all occurances of "Shibboleth IDP" with "a SAML 2.0 IDP" in your
questions above. That leaves you with zero content specific to this
list / community.
So those questions seem to me like the wrong ones for *this*
community, as they are all about what certain MS products support or
not.

But nothing here changes anything wrt the specific points surfaces
during this discussion:

* If the SP (MS here) requires you to hook up IDPs individually and
  manually, you'll suffer. (Either by doing just that, or by investing
  into standing up alternatives that scale.)

* If the SP (MS here) requires all IDPs to support persistent NameIDs,
  you'll suffer. (Either by spending your days nagging universities
  and research institutions and whatnot to implement persistent
  NameIDs so their students can access your service. Or by investing
  into standing up alternatives that scale, at possibly significant
  ongoing cost.)

Nothing anyone else in the world does will change that, not MS, no
matter what alphabet soup is involved (ACS, Azure, AD, ADFS, WS-F,
etc.) -- unless you have some other protocol of hooking up all the
IDPs you need, and that other protocol is magically already supported
everywhere (at all those IDPs, consistently), and even more magically
supports all the features the SP (MS here) requires for integration.

-peter


More information about the users mailing list