technical-discuss - [InC-Technical] RE: ADFS InCommon Federated Services Help
Subject: InCommon Technical Discussions
List archive
- From: Eric C Kool-Brown <>
- To: "" <>, "" <>
- Subject: [InC-Technical] RE: ADFS InCommon Federated Services Help
- Date: Wed, 7 Feb 2018 16:43:37 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:SVQyAxB34CbpYsNBgUeYUyQJP3N1i/DPJgcQr6AfoPdwSP37pMqwAkXT6L1XgUPTWs2DsrQY07OQ6/iocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbAhEmCexbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjDQhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/VDK/5KlpVRDokj8KOT4n/m/Klsx+gqFVoByjqBx+34Hab46aOeFifqzGYd8WWXZNUtpTWiFHH4iyb5EPD+0EPetAoIf9vVoOogejDgSyGejhzzhIhnjy3aEjzukhCwbG3QImH9kTt3nUr9L1NKAWUe2u0anJwy/PYO1L1jfg8YXFdA0qr/+LXbJ1a8XRyE8vGhvLj1qKsozlPzKV1uICs2iH6OpgU/ijhHA6pAFsujSvw8AsipPGho0PzFDI7zt2z5soJdGgVU56b8SoH4VNuCGHL4d2R8IiTH1yuCY90b0GvpC7fDQQxJs7wB7fbvqKeJWL7BL7TOudPDh1iG5/dL6iiBu+71KsxvPyW8S7ylpGsypIn9rUunwTyxDe6tKLRuZ/80qhwzqDyh3f5+JeLUwplKfXM5AhzaAzm5YPtEnOGzT5lUb4gaCKc0gr4Oil5/r6bbjjuJORM5V7hh/7P6s1hsOwHP43Pw4TVGaB4+u8zqfs/UjhTbVKkPI2lq7ZvYjfJcUUoa65HhNV3pgs5hqlEzipysgXkWMJLV1fYxKHj4npO1fBIPDkCve/hU6gnyl2yPDbJrHhA5PNIWbfkLr5YLpw5FJQxBAuwd1Q+Z5YEK8NLfz8V0PrqdDVDhw0PxSxw+n9CdV90o0eWXiIAq+cKK7SsliI5uUrI+SXeY8UtizxJOY46P7zlXM5g0MSfbG13ZsLb3C1BvVmI0OFbnrrh9cBFGAKvgwkQOztkl2CXidfZ2qsUK0g5jE7DoOmApvZSYCpmbCOwSa7HoZKaWBbEVCMCmzld4GFW/cXdCKSOdFtniYFVbinV48uywuutAnkxLp7MObY4DMXuo/+1Is92+qG3w0//jxyDs+U1ySBTnp/g3gTbz4w16d6pEt7jFCZ3uIw1+BVHtxV5vhAVkI2NIXX0vdhI9H0UQXEe9CPDlG8TYPiSXs4St8hytkCeUs7EtmriTjG2DClCrlTmrCWTtRg+6bRz3H3K9xwjX/K3a4Jil48TcJJc2Cqm/gs2RLUAtvkiUSS343iVqMb2Gvn7mCcyyLav0ZfVCZtTuPIUW1JNRielsjw+k6XF+zmMr8gKAYUkcM=
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
Hi Alex,
There are two ways to configure ADFS for federation with InCommon. The route
we take at the UW is to configure ADFS to use our Shibboleth IdP as the ADFS
"Claims Trust Provider." ADFS used to be unable to consume the InCommon
metadata aggregate so in the past I used a special metadata URL for our Shib.
The latest version of ADFS has added the ability to consume an aggregate, but
it is fairly finicky to get working.
The other way would be to have ADFS be the IdP (its default configuration)
but again have it consume the InCommon metadata aggregate. You could then use
the default ADFS "Home Realm Discovery" UI to select one of the InCommon
IdPs. I've not gone down this road because we send all of our ADFS relying
parties to our Shib for authN.
ADFS does some things in an opposite fashion from what the SAML design
specifies. In particular, with SAML configuring federation is up to the
service providers. They provide a discovery (WAYF) page that allows users to
select an IdP. ADFS instead provides IdP discovery for all relying parties.
This can be overridden within ADFS to specify an IdP per relying party. This
is the route we've taken by configuring all of our RPs to go to Shib for
authN.
I've done some ADFS blogging which might be helpful:
http://blogs.uw.edu/kool/.
I also have a wiki on ADFS here at the UW. I believe it uses federated authN,
but let me know if that's not the case:
https://wiki.cac.washington.edu/x/5EMrAw.
This document is a great guide to configuring ADFS to use Shib as the IdP:
http://download.microsoft.com/documents/France/Interop/2010/Using_ADFS2_0_For_Interoperable_SAML_2_0-Based_Federated_SSO.docx.
It is somewhat dated as ADFS now has more configurability and capabilities,
but it is still accurate.
Also, feel free to ask any other questions you may have.
Cheers,
Eric Kool-Brown,
Software Engineer
University of Washington - IT Infrastructure
> -------- Forwarded Message --------
> Subject: ADFS InCommon Federated Services Help
> Date: Mon, 29 Jan 2018 21:15:32 -0700
> From: Alexandre Adao
> <>
> To:
>
> <>
>
>
>
> Hello, I am a novice in InCommon and Microsoft ADFS. I would like to
> know the procedures on how to configure MS ADFS for InCommon. Any
> information or assistance will be gratefully appreciated.
>
> Thanks,
>
> --
> Alex Adao
>
> =============================================
> Alexandre Magno Adão
> Director of Information Security
> Morgan State University (CGW 300k)
> Office of Information Technology (OIT)
> 443-885-4415 Office
> 443-803-3154 Cell
> <http://www.morgan.edu>
- [InC-Technical] RE: ADFS InCommon Federated Services Help, Eric C Kool-Brown, 02/07/2018
- [InC-Technical] RE: ADFS InCommon Federated Services Help, Eric C Kool-Brown, 02/07/2018
- [InC-Technical] RE: ADFS InCommon Federated Services Help, Eric Goodman, 02/07/2018
- [InC-Technical] RE: ADFS InCommon Federated Services Help, Eric C Kool-Brown, 02/08/2018
- [InC-Technical] RE: ADFS InCommon Federated Services Help, Cantor, Scott, 02/08/2018
- Re: [InC-Technical] ADFS InCommon Federated Services Help, Michael A Grady, 02/08/2018
- [InC-Technical] RE: ADFS InCommon Federated Services Help, Cantor, Scott, 02/08/2018
- [InC-Technical] RE: ADFS InCommon Federated Services Help, Eric C Kool-Brown, 02/08/2018
- [InC-Technical] RE: ADFS InCommon Federated Services Help, Eric Goodman, 02/07/2018
- <Possible follow-up(s)>
- [InC-Technical] Re: ADFS InCommon Federated Services Help, Matthew X. Economou, 02/08/2018
- RE: [InC-Technical] RE: ADFS InCommon Federated Services Help, Matthew X. Economou, 02/09/2018
- Re: [InC-Technical] RE: ADFS InCommon Federated Services Help, Nick Roy, 02/12/2018
- [InC-Technical] RE: ADFS InCommon Federated Services Help, Eric C Kool-Brown, 02/07/2018
Archive powered by MHonArc 2.6.19.