Can ADFS connect to other SSO services?ADFS proxy connect to wrong ADFSADFS 3.0 SSO Form authentication Issue - Subdomain not found under certain circumstancesWhat is ADFS (Active Directory Federation Services)?Imitate Azure AD user/tenant claims within ADFSDynamics CRM with Windows Essentials AD + Azure ADIs my Office 365 ADFS SSO working properly?Can we configure ADFS for IDP initiated SSOServer 2016 ADFS Retrieval of proxy configuration data fails and succeedsADFS 4.0 Windows 10 1703 SSOADFS 3.0 Force SSO Token Expiration URL

Find the probability that the 8th woman to appear is in 17th position.

Swapping rooks in a 4x4 board

How can I politely work my way around not liking coffee or beer when it comes to professional networking?

Sed to print out the line number

What is this tool/thing in an Aztec painting?

How to make clear to people I don't want to answer their "Where are you from?" question?

When to remove insignificant variables?

Suggested order for Amazon Prime Doctor Who series

What does "play with your toy’s toys" mean?

How to create a Tetrix/Sierpinski Tetrahedron fractal radiating from 0,0,0 ? Python or nodes

Did Karl Marx ever use any example that involved cotton and dollars to illustrate the way capital and surplus value were generated?

STM Microcontroller burns every time

Hot coffee brewing solutions for deep woods camping

Should my manager be aware of private LinkedIn approaches I receive? How to politely have this happen?

Inverse-quotes-quine

When to make kiddush at a Seder with no wine?

Why did pressing the joystick button spit out keypresses?

Why do all the teams that I have worked with always finish a sprint without completion of all the stories?

Impossible darts scores

I am completely new to Tales from the Floating Vagabond, how do I get started?

What are the penalties for overstaying in USA?

Is it illegal to withhold someone's passport and green card in California?

Is it damaging to turn off a small fridge for two days every week?

Why the feminine "la" in "à la Leonardo DiCaprio", though he is a man?



Can ADFS connect to other SSO services?


ADFS proxy connect to wrong ADFSADFS 3.0 SSO Form authentication Issue - Subdomain not found under certain circumstancesWhat is ADFS (Active Directory Federation Services)?Imitate Azure AD user/tenant claims within ADFSDynamics CRM with Windows Essentials AD + Azure ADIs my Office 365 ADFS SSO working properly?Can we configure ADFS for IDP initiated SSOServer 2016 ADFS Retrieval of proxy configuration data fails and succeedsADFS 4.0 Windows 10 1703 SSOADFS 3.0 Force SSO Token Expiration URL






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








2















I have a .net application that's wired up to my local ADFS server (connected to our corporate AD server) and everything is working fine. My question is, can my ADFS establish a trusted connection to additional SSO services out on the internet like Azure AD, AWS, Google login, Facebook, Twitter, OpenID, etc. so that my application could use claims from multiple trusted sources other than my Activate Directory?










share|improve this question






























    2















    I have a .net application that's wired up to my local ADFS server (connected to our corporate AD server) and everything is working fine. My question is, can my ADFS establish a trusted connection to additional SSO services out on the internet like Azure AD, AWS, Google login, Facebook, Twitter, OpenID, etc. so that my application could use claims from multiple trusted sources other than my Activate Directory?










    share|improve this question


























      2












      2








      2








      I have a .net application that's wired up to my local ADFS server (connected to our corporate AD server) and everything is working fine. My question is, can my ADFS establish a trusted connection to additional SSO services out on the internet like Azure AD, AWS, Google login, Facebook, Twitter, OpenID, etc. so that my application could use claims from multiple trusted sources other than my Activate Directory?










      share|improve this question
















      I have a .net application that's wired up to my local ADFS server (connected to our corporate AD server) and everything is working fine. My question is, can my ADFS establish a trusted connection to additional SSO services out on the internet like Azure AD, AWS, Google login, Facebook, Twitter, OpenID, etc. so that my application could use claims from multiple trusted sources other than my Activate Directory?







      active-directory adfs single-sign-on






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 2 hours ago







      RichC

















      asked 8 hours ago









      RichCRichC

      1652 silver badges6 bronze badges




      1652 silver badges6 bronze badges




















          3 Answers
          3






          active

          oldest

          votes


















          2














          It seems that chaining relying parties is indeed possible. This guy has written a series of posts about it, here's one. You can use ADFS as the "hub" for your app to auth against, and it will chain the request back to whichever service the user's identity actually lives in.



          https://cloudidentityblog.com/2013/06/17/why-use-aad-as-idp-via-ad-fs-rp/



          I haven't done this myself, so I'm not sure how much work this and what the pitfalls might be. I'm sure you could run into problems if a user lives in more than one IdP.



          Don't forget, there's nothing preventing you from writing your .NET application to be able to take advantage of multiple SSO providers natively.






          share|improve this answer






























            1














            Yes, it can.



            Each of these external IDP is added as a claims provider in ADFS and on the IDP side, ADFS is added as a Relying Party.



            When you authenticate, ADFS will show a Home Realm Discovery screen that lists all the IDP.



            You then choose which one you want to use.






            share|improve this answer






























              0














              I've done this. In our model, we have three sets of users:



              1. Internal users authenticating via Active Directory (Kerberos or NTFS) against the local AD FS instance. In this set, the AD FS server runs as the IdP.


              2. External users authenticating via Active Directory (Kerberos or NTFS) against their own AD FS instance and domain. In this set, the AD FS Server has a Claims Provider Trust configured to the issuing AD FS server. Our AD FS server operates as an SP-STS by transforming and validating claims issued elsewhere, and reissuing a trusted token to our application. The IdP is the other domain's AD FS server, where our AD FS server is configured as a relying party.


              3. External users without corporate login. These users authenticate to small .Net STS which is configured as a Claims Provider Trust on our AD FS server. (We did also consider - and it was technically straightforward - to use Azure Active Directory B2C for this role, but other concerns prevented it.)


              Tokens are issued as:
              Depiction of token issuance



              To make it transparent for our customers, we use IP ranges to detect (via nginx) and redirect to the appropriate corporate AD FS – and otherwise rely upon the standard AD FS HRD page.






              share|improve this answer

























                Your Answer








                StackExchange.ready(function()
                var channelOptions =
                tags: "".split(" "),
                id: "2"
                ;
                initTagRenderer("".split(" "), "".split(" "), channelOptions);

                StackExchange.using("externalEditor", function()
                // Have to fire editor after snippets, if snippets enabled
                if (StackExchange.settings.snippets.snippetsEnabled)
                StackExchange.using("snippets", function()
                createEditor();
                );

                else
                createEditor();

                );

                function createEditor()
                StackExchange.prepareEditor(
                heartbeatType: 'answer',
                autoActivateHeartbeat: false,
                convertImagesToLinks: true,
                noModals: true,
                showLowRepImageUploadWarning: true,
                reputationToPostImages: 10,
                bindNavPrevention: true,
                postfix: "",
                imageUploader:
                brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
                contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
                allowUrls: true
                ,
                onDemand: true,
                discardSelector: ".discard-answer"
                ,immediatelyShowMarkdownHelp:true
                );



                );













                draft saved

                draft discarded


















                StackExchange.ready(
                function ()
                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f972252%2fcan-adfs-connect-to-other-sso-services%23new-answer', 'question_page');

                );

                Post as a guest















                Required, but never shown

























                3 Answers
                3






                active

                oldest

                votes








                3 Answers
                3






                active

                oldest

                votes









                active

                oldest

                votes






                active

                oldest

                votes









                2














                It seems that chaining relying parties is indeed possible. This guy has written a series of posts about it, here's one. You can use ADFS as the "hub" for your app to auth against, and it will chain the request back to whichever service the user's identity actually lives in.



                https://cloudidentityblog.com/2013/06/17/why-use-aad-as-idp-via-ad-fs-rp/



                I haven't done this myself, so I'm not sure how much work this and what the pitfalls might be. I'm sure you could run into problems if a user lives in more than one IdP.



                Don't forget, there's nothing preventing you from writing your .NET application to be able to take advantage of multiple SSO providers natively.






                share|improve this answer



























                  2














                  It seems that chaining relying parties is indeed possible. This guy has written a series of posts about it, here's one. You can use ADFS as the "hub" for your app to auth against, and it will chain the request back to whichever service the user's identity actually lives in.



                  https://cloudidentityblog.com/2013/06/17/why-use-aad-as-idp-via-ad-fs-rp/



                  I haven't done this myself, so I'm not sure how much work this and what the pitfalls might be. I'm sure you could run into problems if a user lives in more than one IdP.



                  Don't forget, there's nothing preventing you from writing your .NET application to be able to take advantage of multiple SSO providers natively.






                  share|improve this answer

























                    2












                    2








                    2







                    It seems that chaining relying parties is indeed possible. This guy has written a series of posts about it, here's one. You can use ADFS as the "hub" for your app to auth against, and it will chain the request back to whichever service the user's identity actually lives in.



                    https://cloudidentityblog.com/2013/06/17/why-use-aad-as-idp-via-ad-fs-rp/



                    I haven't done this myself, so I'm not sure how much work this and what the pitfalls might be. I'm sure you could run into problems if a user lives in more than one IdP.



                    Don't forget, there's nothing preventing you from writing your .NET application to be able to take advantage of multiple SSO providers natively.






                    share|improve this answer













                    It seems that chaining relying parties is indeed possible. This guy has written a series of posts about it, here's one. You can use ADFS as the "hub" for your app to auth against, and it will chain the request back to whichever service the user's identity actually lives in.



                    https://cloudidentityblog.com/2013/06/17/why-use-aad-as-idp-via-ad-fs-rp/



                    I haven't done this myself, so I'm not sure how much work this and what the pitfalls might be. I'm sure you could run into problems if a user lives in more than one IdP.



                    Don't forget, there's nothing preventing you from writing your .NET application to be able to take advantage of multiple SSO providers natively.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered 8 hours ago









                    mfinnimfinni

                    33.2k3 gold badges43 silver badges80 bronze badges




                    33.2k3 gold badges43 silver badges80 bronze badges























                        1














                        Yes, it can.



                        Each of these external IDP is added as a claims provider in ADFS and on the IDP side, ADFS is added as a Relying Party.



                        When you authenticate, ADFS will show a Home Realm Discovery screen that lists all the IDP.



                        You then choose which one you want to use.






                        share|improve this answer



























                          1














                          Yes, it can.



                          Each of these external IDP is added as a claims provider in ADFS and on the IDP side, ADFS is added as a Relying Party.



                          When you authenticate, ADFS will show a Home Realm Discovery screen that lists all the IDP.



                          You then choose which one you want to use.






                          share|improve this answer

























                            1












                            1








                            1







                            Yes, it can.



                            Each of these external IDP is added as a claims provider in ADFS and on the IDP side, ADFS is added as a Relying Party.



                            When you authenticate, ADFS will show a Home Realm Discovery screen that lists all the IDP.



                            You then choose which one you want to use.






                            share|improve this answer













                            Yes, it can.



                            Each of these external IDP is added as a claims provider in ADFS and on the IDP side, ADFS is added as a Relying Party.



                            When you authenticate, ADFS will show a Home Realm Discovery screen that lists all the IDP.



                            You then choose which one you want to use.







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered 4 hours ago









                            nzpcmadnzpcmad

                            7931 gold badge9 silver badges20 bronze badges




                            7931 gold badge9 silver badges20 bronze badges





















                                0














                                I've done this. In our model, we have three sets of users:



                                1. Internal users authenticating via Active Directory (Kerberos or NTFS) against the local AD FS instance. In this set, the AD FS server runs as the IdP.


                                2. External users authenticating via Active Directory (Kerberos or NTFS) against their own AD FS instance and domain. In this set, the AD FS Server has a Claims Provider Trust configured to the issuing AD FS server. Our AD FS server operates as an SP-STS by transforming and validating claims issued elsewhere, and reissuing a trusted token to our application. The IdP is the other domain's AD FS server, where our AD FS server is configured as a relying party.


                                3. External users without corporate login. These users authenticate to small .Net STS which is configured as a Claims Provider Trust on our AD FS server. (We did also consider - and it was technically straightforward - to use Azure Active Directory B2C for this role, but other concerns prevented it.)


                                Tokens are issued as:
                                Depiction of token issuance



                                To make it transparent for our customers, we use IP ranges to detect (via nginx) and redirect to the appropriate corporate AD FS – and otherwise rely upon the standard AD FS HRD page.






                                share|improve this answer



























                                  0














                                  I've done this. In our model, we have three sets of users:



                                  1. Internal users authenticating via Active Directory (Kerberos or NTFS) against the local AD FS instance. In this set, the AD FS server runs as the IdP.


                                  2. External users authenticating via Active Directory (Kerberos or NTFS) against their own AD FS instance and domain. In this set, the AD FS Server has a Claims Provider Trust configured to the issuing AD FS server. Our AD FS server operates as an SP-STS by transforming and validating claims issued elsewhere, and reissuing a trusted token to our application. The IdP is the other domain's AD FS server, where our AD FS server is configured as a relying party.


                                  3. External users without corporate login. These users authenticate to small .Net STS which is configured as a Claims Provider Trust on our AD FS server. (We did also consider - and it was technically straightforward - to use Azure Active Directory B2C for this role, but other concerns prevented it.)


                                  Tokens are issued as:
                                  Depiction of token issuance



                                  To make it transparent for our customers, we use IP ranges to detect (via nginx) and redirect to the appropriate corporate AD FS – and otherwise rely upon the standard AD FS HRD page.






                                  share|improve this answer

























                                    0












                                    0








                                    0







                                    I've done this. In our model, we have three sets of users:



                                    1. Internal users authenticating via Active Directory (Kerberos or NTFS) against the local AD FS instance. In this set, the AD FS server runs as the IdP.


                                    2. External users authenticating via Active Directory (Kerberos or NTFS) against their own AD FS instance and domain. In this set, the AD FS Server has a Claims Provider Trust configured to the issuing AD FS server. Our AD FS server operates as an SP-STS by transforming and validating claims issued elsewhere, and reissuing a trusted token to our application. The IdP is the other domain's AD FS server, where our AD FS server is configured as a relying party.


                                    3. External users without corporate login. These users authenticate to small .Net STS which is configured as a Claims Provider Trust on our AD FS server. (We did also consider - and it was technically straightforward - to use Azure Active Directory B2C for this role, but other concerns prevented it.)


                                    Tokens are issued as:
                                    Depiction of token issuance



                                    To make it transparent for our customers, we use IP ranges to detect (via nginx) and redirect to the appropriate corporate AD FS – and otherwise rely upon the standard AD FS HRD page.






                                    share|improve this answer













                                    I've done this. In our model, we have three sets of users:



                                    1. Internal users authenticating via Active Directory (Kerberos or NTFS) against the local AD FS instance. In this set, the AD FS server runs as the IdP.


                                    2. External users authenticating via Active Directory (Kerberos or NTFS) against their own AD FS instance and domain. In this set, the AD FS Server has a Claims Provider Trust configured to the issuing AD FS server. Our AD FS server operates as an SP-STS by transforming and validating claims issued elsewhere, and reissuing a trusted token to our application. The IdP is the other domain's AD FS server, where our AD FS server is configured as a relying party.


                                    3. External users without corporate login. These users authenticate to small .Net STS which is configured as a Claims Provider Trust on our AD FS server. (We did also consider - and it was technically straightforward - to use Azure Active Directory B2C for this role, but other concerns prevented it.)


                                    Tokens are issued as:
                                    Depiction of token issuance



                                    To make it transparent for our customers, we use IP ranges to detect (via nginx) and redirect to the appropriate corporate AD FS – and otherwise rely upon the standard AD FS HRD page.







                                    share|improve this answer












                                    share|improve this answer



                                    share|improve this answer










                                    answered 23 mins ago









                                    MitchMitch

                                    1,95211 silver badges20 bronze badges




                                    1,95211 silver badges20 bronze badges



























                                        draft saved

                                        draft discarded
















































                                        Thanks for contributing an answer to Server Fault!


                                        • Please be sure to answer the question. Provide details and share your research!

                                        But avoid


                                        • Asking for help, clarification, or responding to other answers.

                                        • Making statements based on opinion; back them up with references or personal experience.

                                        To learn more, see our tips on writing great answers.




                                        draft saved


                                        draft discarded














                                        StackExchange.ready(
                                        function ()
                                        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f972252%2fcan-adfs-connect-to-other-sso-services%23new-answer', 'question_page');

                                        );

                                        Post as a guest















                                        Required, but never shown





















































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown

































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown







                                        Popular posts from this blog

                                        Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

                                        Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

                                        In Tikz, how to set a node's label alignment to the left?Rotate a node but not its content: the case of the ellipse decorationHow to define the default vertical distance between nodes?Numerical conditional within tikz keys?TikZ/ERD: node (=Entity) label on the insideLine up nested tikz enviroments or how to get rid of themVertically align a tikzpicture and forestDrawing tikz line in the margin for multiple pagesLongtable, contained tikz, padding, custom columns, and an alignment issueTikZ: define arrow starting position based on style and format node labelAlign node name in Tikz