Re: ADFS - SAML audience
- From: Dima <Dima@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 15 Jan 2007 08:34:00 -0800
Hm, now that I try it, it works ok, but before it was failing due to an
invalid SAML audience tag. Oh, well, I guess it does work as SSO. No idea
what I changed in configuration...
"Joe Kaplan" wrote:
Yeah, I think you may be missing something here. When you log into an app.
via ADFS, you actually are issued a logon cookie from both the FS and the
app. The cookie for the app just lets you into the app. If you want to log
into a different ADFS app, it will redirect you back to the FS. In this
case, since you have a logon cookie from the FS, you SSO into the FS and it
issues you a different cookie for the second app. Now you have three
cookies. It is still SSO because all of these redirects happen
automatically and the user is not reprompted for credentials (assuming the
FS logon cookie has not expired).
It is necessary for it to work this way because each app can have a
different claim set and thus different contents in the SAML token. This is
also how the SAML audience ends up making sense, as each logon cookie/token
is really just intended for that one particular app.
The FSP is really just there to provide a way to support forms-based
authentication for users who can't do IWA auth (which is the default
configuration of the FS). Typically, users outside the firewall can't do
IWA, so the FSP is set up out there to service those users.
As we discussed previously, it is more complex with ADAM since ADAM users
can't do IWA auth, then need forms auth (or the basic auth supported by
ADFS) all the time. As such, you end up having to be a little more creative
with your FS usage when involving ADAM.
If you were doing a pure "inside the firewall" web SSO with a set of web
apps, you could just use the FS. You don't really need the proxy. The only
issue then would be how you authenticated your ADAM users. If you put the
ADAM store in a separate federation server, then it is easier, as they can
be differentiated via home realm discovery from your internal users and the
internal users can just use IWA off of the FS itself. If you were to
combine ADAM and AD users in the same federation server, you'd need to make
sure you are always prompting for plaintext credentials with either the
logon form or basic auth.
A lot depends on the details of how you want your stuff to work and what
your deployment constraints around the network are. The bottom line is that
the MS docs are just a guide, but it is more ultimately helpful to
understand how things work under the hood so that you can weave your own
scenarios.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Dima" <Dima@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:817FA6A5-089A-4161-99A7-CA6545E29556@xxxxxxxxxxxxxxxx
Ok, let me clarify my point a bit.
Microsoft's ADFS Overview document describes three scenarios for using
ADFS,
one of them is the "Web SSO" scenario. In this scenario, they suggest that
the FSP is multihomed between internal and DMZ, as well as web/app
servers,
and FS is inside the internal network. And they suggest that this usage
scenario provides the Web SSO, by having the user log in only once to
access
all of these web/apps.
Now, since I don't have that setup and can't test it, my question is, what
is the value of SAML:audience that the user gets from that FS when
accessing
those web apps? If the value is equal to the URL for the web app being
accessed then Web SSO doesn't work, if it's the value of the FS URN then
it
does. Since Microsoft says this setup works for SSO, then I assume the
issued
SAML:audience is equal to the FS URN, but then this is in contrast to what
my
tests have showed when accessing the web app without the FSP, with only
one
FS.
Am I misinterpreting something? My original message on this thread was
whether the resource FS can issue the SAML token with SAML:audience
pointing
to itself? This was because I couldn't explain how otherwise this Web SSO
scenario Microsoft describes in their ADFS Overview doc could work.
"Joe Kaplan" wrote:
I guess I'm not totally following what you are saying. I've actually
based
my knowledge primarily on my own experiences with testing and deploying
ADFS
and less on the Microsoft documentation, so I wasn't totally familiar
with
their overview doc.
However, I don't see why the web SSO scenario can't work with either
token-based or claims-based apps. That is largely an implementation
decision for the application, but shouldn't really matter for the app's
URL.
Token-based integration gives you more compatibility, as it can basically
integrate with anything that runs on IIS and can consume Windows
security,
so it can be used with older .NET, ASP or perhaps even PHP and Java if
you
run that on Windows. Claims integration is much more flexible, but does
require .NET 2.0 for the app and may require code changes that might not
be
needed in a token app integration. There are some abstraction layers
implemented by ADFS such as the support for the standard .NET IPrincipal
object, the membership provider/role provider integration and their AzMan
integration.
Can you provide some specific examples that I can digest in regards to
your
concerns about audience and multi-homing and such? From my perspective,
multi-homed web servers are par for the course, as we do so much stuff
with
SSL internally and dealing with host headers with SSL is often
problematic
or even possible. Giving every website their own IP just makes things
easier. We also use SSL on everything though, so that is probably a big
difference thing for our internal IT and many other companies.
Our primary use case (so far) for ADFS has been external federation and
integration with vendor apps hosted in the ASP model. We already have
web
SSO internally with another product (although ADFS does provide a
possible
avenue toward consolidation of strategies at some point in the
future...).
I don't think that response was particularly helpful to you, but I'm
enjoying the conversation anyway. :)
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Dima" <Dima@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A43164AA-82FE-41BA-8EE1-9CDC95935D1A@xxxxxxxxxxxxxxxx
By Web SSO, are you referring to the usage scenario described in the
ADFS
Overview document? If so, I have a few comments:
This scenario assumes that those servers are multihomed, which is
rarely
the
case in companies that have a perimeter network.
I must admit, that usage scenario description in the ADFS Overview doc
is
somewhat unclear to me. Does it only work with Windows token-based
apps?
Or
does it work for any kind of authentication and account store?
If the resource FS issues a SAML token with the aufdience set to the
URL
of
the application then SSO isn't possible, so for the Web SSO scenario to
work
the FS would have to issue some other audience value, right?
Please be as detailed as possible.
"Joe Kaplan" wrote:
The SAML tokens are different here. The token issued to the FS
basically
logs the user into the FS. The FS then generates a different token
that
is
sent to the trusting application. This is part of the way that
different
apps can be configured to have different claim sets. They would have
to
get
their own token in order for that to work.
However, Web SSO should be possible with just one server. My previous
comments to you about putting the ADAM store in its own FS will give
you
a
bunch of additional flexibility with applications that need to
integrate
via
Windows token, but if you don't have any of those, then it won't be a
problem.
If you want me to explain the finer points on the token integration
stuff, I
can. I won't dive into unless it is important to hear about.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Dima" <Dima@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6A34E913-001B-403D-AE39-55C5D7E1A8E6@xxxxxxxxxxxxxxxx
I have a question about the <saml:Audience> tag in the SAML token.
After examining the SAML token in the ADFS log, I saw that the
resource
FS
generated SAML token contiains the audience value set to the URL of
the
application being accessed (return URL). On the other hand, the SAML
token
generated by the account FS has the audience value set to the URI of
the
resource FS (urn:federation:treyresearch). This resource FS URN
audience
is
required in order for the SSO to work. Is there any way that the
resource
FS
would generate the FS URN audience instead of the application URL?
Can
I
set
it up to be it's own account partner? I know it sounds weird, but
all I
really want is to have true SSO with only one server (resource FS).
- Follow-Ups:
- Re: ADFS - SAML audience
- From: Joe Kaplan
- Re: ADFS - SAML audience
- References:
- Re: ADFS - SAML audience
- From: Joe Kaplan
- Re: ADFS - SAML audience
- From: Joe Kaplan
- Re: ADFS - SAML audience
- From: Dima
- Re: ADFS - SAML audience
- From: Joe Kaplan
- Re: ADFS - SAML audience
- Prev by Date: Re: How to tell whihc OU the users belongs to
- Next by Date: Re: password never expires
- Previous by thread: Re: ADFS - SAML audience
- Next by thread: Re: ADFS - SAML audience
- Index(es):
Relevant Pages
|
Loading
