Can ADFS connect to other SSO services?ADFS proxy connect to wrong ADFSADFS 3.0 SSO Form authentication Issue - Subdomain not found under certain circumstancesWhat is ADFS (Active Directory Federation Services)?Imitate Azure AD user/tenant claims within ADFSDynamics CRM with Windows Essentials AD + Azure ADIs my Office 365 ADFS SSO working properly?Can we configure ADFS for IDP initiated SSOServer 2016 ADFS Retrieval of proxy configuration data fails and succeedsADFS 4.0 Windows 10 1703 SSOADFS 3.0 Force SSO Token Expiration URL
Find the probability that the 8th woman to appear is in 17th position.
Swapping rooks in a 4x4 board
How can I politely work my way around not liking coffee or beer when it comes to professional networking?
Sed to print out the line number
What is this tool/thing in an Aztec painting?
How to make clear to people I don't want to answer their "Where are you from?" question?
When to remove insignificant variables?
Suggested order for Amazon Prime Doctor Who series
What does "play with your toy’s toys" mean?
How to create a Tetrix/Sierpinski Tetrahedron fractal radiating from 0,0,0 ? Python or nodes
Did Karl Marx ever use any example that involved cotton and dollars to illustrate the way capital and surplus value were generated?
STM Microcontroller burns every time
Hot coffee brewing solutions for deep woods camping
Should my manager be aware of private LinkedIn approaches I receive? How to politely have this happen?
Inverse-quotes-quine
When to make kiddush at a Seder with no wine?
Why did pressing the joystick button spit out keypresses?
Why do all the teams that I have worked with always finish a sprint without completion of all the stories?
Impossible darts scores
I am completely new to Tales from the Floating Vagabond, how do I get started?
What are the penalties for overstaying in USA?
Is it illegal to withhold someone's passport and green card in California?
Is it damaging to turn off a small fridge for two days every week?
Why the feminine "la" in "à la Leonardo DiCaprio", though he is a man?
Can ADFS connect to other SSO services?
ADFS proxy connect to wrong ADFSADFS 3.0 SSO Form authentication Issue - Subdomain not found under certain circumstancesWhat is ADFS (Active Directory Federation Services)?Imitate Azure AD user/tenant claims within ADFSDynamics CRM with Windows Essentials AD + Azure ADIs my Office 365 ADFS SSO working properly?Can we configure ADFS for IDP initiated SSOServer 2016 ADFS Retrieval of proxy configuration data fails and succeedsADFS 4.0 Windows 10 1703 SSOADFS 3.0 Force SSO Token Expiration URL
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I have a .net application that's wired up to my local ADFS server (connected to our corporate AD server) and everything is working fine. My question is, can my ADFS establish a trusted connection to additional SSO services out on the internet like Azure AD, AWS, Google login, Facebook, Twitter, OpenID, etc. so that my application could use claims from multiple trusted sources other than my Activate Directory?
active-directory adfs single-sign-on
add a comment |
I have a .net application that's wired up to my local ADFS server (connected to our corporate AD server) and everything is working fine. My question is, can my ADFS establish a trusted connection to additional SSO services out on the internet like Azure AD, AWS, Google login, Facebook, Twitter, OpenID, etc. so that my application could use claims from multiple trusted sources other than my Activate Directory?
active-directory adfs single-sign-on
add a comment |
I have a .net application that's wired up to my local ADFS server (connected to our corporate AD server) and everything is working fine. My question is, can my ADFS establish a trusted connection to additional SSO services out on the internet like Azure AD, AWS, Google login, Facebook, Twitter, OpenID, etc. so that my application could use claims from multiple trusted sources other than my Activate Directory?
active-directory adfs single-sign-on
I have a .net application that's wired up to my local ADFS server (connected to our corporate AD server) and everything is working fine. My question is, can my ADFS establish a trusted connection to additional SSO services out on the internet like Azure AD, AWS, Google login, Facebook, Twitter, OpenID, etc. so that my application could use claims from multiple trusted sources other than my Activate Directory?
active-directory adfs single-sign-on
active-directory adfs single-sign-on
edited 2 hours ago
RichC
asked 8 hours ago
RichCRichC
1652 silver badges6 bronze badges
1652 silver badges6 bronze badges
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
It seems that chaining relying parties is indeed possible. This guy has written a series of posts about it, here's one. You can use ADFS as the "hub" for your app to auth against, and it will chain the request back to whichever service the user's identity actually lives in.
https://cloudidentityblog.com/2013/06/17/why-use-aad-as-idp-via-ad-fs-rp/
I haven't done this myself, so I'm not sure how much work this and what the pitfalls might be. I'm sure you could run into problems if a user lives in more than one IdP.
Don't forget, there's nothing preventing you from writing your .NET application to be able to take advantage of multiple SSO providers natively.
add a comment |
Yes, it can.
Each of these external IDP is added as a claims provider in ADFS and on the IDP side, ADFS is added as a Relying Party.
When you authenticate, ADFS will show a Home Realm Discovery screen that lists all the IDP.
You then choose which one you want to use.
add a comment |
I've done this. In our model, we have three sets of users:
Internal users authenticating via Active Directory (Kerberos or NTFS) against the local AD FS instance. In this set, the AD FS server runs as the IdP.
External users authenticating via Active Directory (Kerberos or NTFS) against their own AD FS instance and domain. In this set, the AD FS Server has a Claims Provider Trust configured to the issuing AD FS server. Our AD FS server operates as an SP-STS by transforming and validating claims issued elsewhere, and reissuing a trusted token to our application. The IdP is the other domain's AD FS server, where our AD FS server is configured as a relying party.
External users without corporate login. These users authenticate to small .Net STS which is configured as a Claims Provider Trust on our AD FS server. (We did also consider - and it was technically straightforward - to use Azure Active Directory B2C for this role, but other concerns prevented it.)
Tokens are issued as:
To make it transparent for our customers, we use IP ranges to detect (via nginx) and redirect to the appropriate corporate AD FS – and otherwise rely upon the standard AD FS HRD page.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f972252%2fcan-adfs-connect-to-other-sso-services%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
It seems that chaining relying parties is indeed possible. This guy has written a series of posts about it, here's one. You can use ADFS as the "hub" for your app to auth against, and it will chain the request back to whichever service the user's identity actually lives in.
https://cloudidentityblog.com/2013/06/17/why-use-aad-as-idp-via-ad-fs-rp/
I haven't done this myself, so I'm not sure how much work this and what the pitfalls might be. I'm sure you could run into problems if a user lives in more than one IdP.
Don't forget, there's nothing preventing you from writing your .NET application to be able to take advantage of multiple SSO providers natively.
add a comment |
It seems that chaining relying parties is indeed possible. This guy has written a series of posts about it, here's one. You can use ADFS as the "hub" for your app to auth against, and it will chain the request back to whichever service the user's identity actually lives in.
https://cloudidentityblog.com/2013/06/17/why-use-aad-as-idp-via-ad-fs-rp/
I haven't done this myself, so I'm not sure how much work this and what the pitfalls might be. I'm sure you could run into problems if a user lives in more than one IdP.
Don't forget, there's nothing preventing you from writing your .NET application to be able to take advantage of multiple SSO providers natively.
add a comment |
It seems that chaining relying parties is indeed possible. This guy has written a series of posts about it, here's one. You can use ADFS as the "hub" for your app to auth against, and it will chain the request back to whichever service the user's identity actually lives in.
https://cloudidentityblog.com/2013/06/17/why-use-aad-as-idp-via-ad-fs-rp/
I haven't done this myself, so I'm not sure how much work this and what the pitfalls might be. I'm sure you could run into problems if a user lives in more than one IdP.
Don't forget, there's nothing preventing you from writing your .NET application to be able to take advantage of multiple SSO providers natively.
It seems that chaining relying parties is indeed possible. This guy has written a series of posts about it, here's one. You can use ADFS as the "hub" for your app to auth against, and it will chain the request back to whichever service the user's identity actually lives in.
https://cloudidentityblog.com/2013/06/17/why-use-aad-as-idp-via-ad-fs-rp/
I haven't done this myself, so I'm not sure how much work this and what the pitfalls might be. I'm sure you could run into problems if a user lives in more than one IdP.
Don't forget, there's nothing preventing you from writing your .NET application to be able to take advantage of multiple SSO providers natively.
answered 8 hours ago
mfinnimfinni
33.2k3 gold badges43 silver badges80 bronze badges
33.2k3 gold badges43 silver badges80 bronze badges
add a comment |
add a comment |
Yes, it can.
Each of these external IDP is added as a claims provider in ADFS and on the IDP side, ADFS is added as a Relying Party.
When you authenticate, ADFS will show a Home Realm Discovery screen that lists all the IDP.
You then choose which one you want to use.
add a comment |
Yes, it can.
Each of these external IDP is added as a claims provider in ADFS and on the IDP side, ADFS is added as a Relying Party.
When you authenticate, ADFS will show a Home Realm Discovery screen that lists all the IDP.
You then choose which one you want to use.
add a comment |
Yes, it can.
Each of these external IDP is added as a claims provider in ADFS and on the IDP side, ADFS is added as a Relying Party.
When you authenticate, ADFS will show a Home Realm Discovery screen that lists all the IDP.
You then choose which one you want to use.
Yes, it can.
Each of these external IDP is added as a claims provider in ADFS and on the IDP side, ADFS is added as a Relying Party.
When you authenticate, ADFS will show a Home Realm Discovery screen that lists all the IDP.
You then choose which one you want to use.
answered 4 hours ago
nzpcmadnzpcmad
7931 gold badge9 silver badges20 bronze badges
7931 gold badge9 silver badges20 bronze badges
add a comment |
add a comment |
I've done this. In our model, we have three sets of users:
Internal users authenticating via Active Directory (Kerberos or NTFS) against the local AD FS instance. In this set, the AD FS server runs as the IdP.
External users authenticating via Active Directory (Kerberos or NTFS) against their own AD FS instance and domain. In this set, the AD FS Server has a Claims Provider Trust configured to the issuing AD FS server. Our AD FS server operates as an SP-STS by transforming and validating claims issued elsewhere, and reissuing a trusted token to our application. The IdP is the other domain's AD FS server, where our AD FS server is configured as a relying party.
External users without corporate login. These users authenticate to small .Net STS which is configured as a Claims Provider Trust on our AD FS server. (We did also consider - and it was technically straightforward - to use Azure Active Directory B2C for this role, but other concerns prevented it.)
Tokens are issued as:
To make it transparent for our customers, we use IP ranges to detect (via nginx) and redirect to the appropriate corporate AD FS – and otherwise rely upon the standard AD FS HRD page.
add a comment |
I've done this. In our model, we have three sets of users:
Internal users authenticating via Active Directory (Kerberos or NTFS) against the local AD FS instance. In this set, the AD FS server runs as the IdP.
External users authenticating via Active Directory (Kerberos or NTFS) against their own AD FS instance and domain. In this set, the AD FS Server has a Claims Provider Trust configured to the issuing AD FS server. Our AD FS server operates as an SP-STS by transforming and validating claims issued elsewhere, and reissuing a trusted token to our application. The IdP is the other domain's AD FS server, where our AD FS server is configured as a relying party.
External users without corporate login. These users authenticate to small .Net STS which is configured as a Claims Provider Trust on our AD FS server. (We did also consider - and it was technically straightforward - to use Azure Active Directory B2C for this role, but other concerns prevented it.)
Tokens are issued as:
To make it transparent for our customers, we use IP ranges to detect (via nginx) and redirect to the appropriate corporate AD FS – and otherwise rely upon the standard AD FS HRD page.
add a comment |
I've done this. In our model, we have three sets of users:
Internal users authenticating via Active Directory (Kerberos or NTFS) against the local AD FS instance. In this set, the AD FS server runs as the IdP.
External users authenticating via Active Directory (Kerberos or NTFS) against their own AD FS instance and domain. In this set, the AD FS Server has a Claims Provider Trust configured to the issuing AD FS server. Our AD FS server operates as an SP-STS by transforming and validating claims issued elsewhere, and reissuing a trusted token to our application. The IdP is the other domain's AD FS server, where our AD FS server is configured as a relying party.
External users without corporate login. These users authenticate to small .Net STS which is configured as a Claims Provider Trust on our AD FS server. (We did also consider - and it was technically straightforward - to use Azure Active Directory B2C for this role, but other concerns prevented it.)
Tokens are issued as:
To make it transparent for our customers, we use IP ranges to detect (via nginx) and redirect to the appropriate corporate AD FS – and otherwise rely upon the standard AD FS HRD page.
I've done this. In our model, we have three sets of users:
Internal users authenticating via Active Directory (Kerberos or NTFS) against the local AD FS instance. In this set, the AD FS server runs as the IdP.
External users authenticating via Active Directory (Kerberos or NTFS) against their own AD FS instance and domain. In this set, the AD FS Server has a Claims Provider Trust configured to the issuing AD FS server. Our AD FS server operates as an SP-STS by transforming and validating claims issued elsewhere, and reissuing a trusted token to our application. The IdP is the other domain's AD FS server, where our AD FS server is configured as a relying party.
External users without corporate login. These users authenticate to small .Net STS which is configured as a Claims Provider Trust on our AD FS server. (We did also consider - and it was technically straightforward - to use Azure Active Directory B2C for this role, but other concerns prevented it.)
Tokens are issued as:
To make it transparent for our customers, we use IP ranges to detect (via nginx) and redirect to the appropriate corporate AD FS – and otherwise rely upon the standard AD FS HRD page.
answered 23 mins ago
MitchMitch
1,95211 silver badges20 bronze badges
1,95211 silver badges20 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f972252%2fcan-adfs-connect-to-other-sso-services%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown