Re: ADFS - SAML audience

From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 11 Jan 2007 18:19:06 -0600

The SAML tokens are different here. The token issued to the FS basically
logs the user into the FS. The FS then generates a different token that is
sent to the trusting application. This is part of the way that different
apps can be configured to have different claim sets. They would have to get
their own token in order for that to work.

However, Web SSO should be possible with just one server. My previous
comments to you about putting the ADAM store in its own FS will give you a
bunch of additional flexibility with applications that need to integrate via
Windows token, but if you don't have any of those, then it won't be a
problem.

If you want me to explain the finer points on the token integration stuff, I
can. I won't dive into unless it is important to hear about.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Dima" <Dima@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6A34E913-001B-403D-AE39-55C5D7E1A8E6@xxxxxxxxxxxxxxxx

I have a question about the <saml:Audience> tag in the SAML token.
After examining the SAML token in the ADFS log, I saw that the resource FS
generated SAML token contiains the audience value set to the URL of the
application being accessed (return URL). On the other hand, the SAML token
generated by the account FS has the audience value set to the URI of the
resource FS (urn:federation:treyresearch). This resource FS URN audience
is
required in order for the SSO to work. Is there any way that the resource
FS
would generate the FS URN audience instead of the application URL? Can I
set
it up to be it's own account partner? I know it sounds weird, but all I
really want is to have true SSO with only one server (resource FS).

Prev by Date: Re: AD Permissions for WebDav
Next by Date: Re: ADFS & MOSS 2007 troubles
Previous by thread: Group Policy - enabling users to view "My Computer, IE, My Documents" on desktop
Next by thread: Re: ADFS - SAML audience
Index(es):
- Date
- Thread

Relevant Pages

Re: Memebership roles, WSE 3.0, Smart Clients. How do they fit tog
... authentication performed at the service. ... the filters that are part of the server's response pipeline processing. ... SAML tokens have the advantage of defining a way of handling role ...
(microsoft.public.dotnet.framework.webservices.enhancements)
Re: WSE 3.0 Clarification
... Q1) Check out the STS QuickStart. ... a token service such as an STS will hand out SAML tokens. ... WSE is just a jump-pad for any security implementation you may need. ...
(microsoft.public.dotnet.framework.webservices.enhancements)
Re: Custom SecurityTokenManager: User.Identity
... a TokenManager for SAML tokens. ... be something wrong with the token manager. ... You should implement a custom SecurityTokenManager when you want to ...
(microsoft.public.dotnet.framework.webservices.enhancements)
Re: ADFS with ASP application
... Mapping an incoming group claim to a user in the resource forest is one way ... Joe Kaplan-MS MVP Directory Services Programming ... able to bypass ADFS to get into the application. ... map user tokens. ...
(microsoft.public.windows.server.active_directory)
Re: ADFS with ASP application
... incoming group claim to user on resource computer .Is it correct? ... able to bypass ADFS to get into the application. ... It is generally much easier to troubleshoot this with a claims app first ... map user tokens. ...
(microsoft.public.windows.server.active_directory)