Re: Domain registration requirement in federated web sso with fore
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 10 Aug 2007 22:26:13 -0500
The only really straightforward way to provide attribute data about the
authenticated user when crossing federation boundaries is via claims. The
claims are very easy things to get working, as you just create them in your
organizational claims set and then configuration the extractions for the
account store to map the AD attribute data to the claims. In order to make
those claims go to an external resource partner, you just add them in the
configuration for the external partner and give them whatever name you want
them to appear as at the external partner.
The resource partner needs to have the matching claims configured in their
partner configuration and in their organizational claims set. They also
need to be enabled for the applications that will receive them.
The trickier part is receiving these claims in the application, as you
really need a claims aware application to get them. MOSS 2007 can be
configured as a claims aware application, but they don't provide a really
straightforward way to get the custom claims, as MOSS uses the
membership/role provider framework and the ADFS role provide just maps the
group claims to roles. You can write you own code to get the claims data
though.
For a token-based application, there isn't a straightforward way to get the
claims unless you integrate the application as both token and claims (which
you can do). Token-based applications just map the federated user to a
security principal in the resource forest (as you probably know). The
problem for claims aware apps is that the only supported model for getting
the claims is with a .NET 2.0 app, so if you have something written for
another platform (ASP, older .NET, etc.) there isn't really a way to deal
with that either.
I'm not aware of much good training or documentation on this stuff out there
just yet. It will get there eventually, but so far there hasn't been a lot
of investment there yet.
You could solve the problem by syncing the data across into some sort of
store like an ADAM database, but that is really sort of an "anti-federation"
approach and involves a lot of extra work, so if you can avoid that, you'll
be better off.
Start a new thread if you want to talk more about claims-aware applications
and see if you can ask some specific questions.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Devdutta" <Devdutta@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0BC53694-41F1-4133-9330-33567C046552@xxxxxxxxxxxxxxxx
Thanks a lot Joe.
I need some help on ADFS . In our project, we need to provide internal
domain users access to the the applications running on external DMZ
domain.
We used Federated web sso scenario and internal users can access the
application now.
Now, how can the applications of the DMZ domain access the internal user's
active directory attributes like address, phone no etc? Normally, in
intranet, we use AD ldap interface to show the informations on the
application pages. I khow there is a concept of custom claims , but don't
know how to configure and access those claims. Our websites and
applications
are MOSS 2007 sites and some NT token based applications written in
different
languages.
Could you please help us on this? If there are a study material available
or
webcast demo available on any site you know, please let me know. I have
already watched the .NET show on ADFS available in MSDN site.
"Joe Kaplan" wrote:
I think you should post this question in a SharePoint or IIS newsgroup.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Devdutta" <Devdutta@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3A539566-36FF-4A2F-8C37-BBB0E8F7AD51@xxxxxxxxxxxxxxxx
Hi,
I don't know if this is the right place to post this question. If
anybody
knows the right group , please refer me .
We have 2 servers in production running existing applications and those
servers are in NLB. What would be the strategy for the installation? As
per
my knowledge, if we set-up a sharepoint webfarm with 2 or more web
servers,
the servers are automatically load balanced. But in our case, those
servers
are already using NLB. I am not an infrastucture guy, so don't have
much
idea
about NLB either.Could anybody help me out?
Regards,
Dev
"Joe Kaplan" wrote:
I answered that question in my other message which was a reply to your
previous message in the thread. Did you miss it? I can dig it out of
the
group somewhere if you didn't see it.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Anindya_TCS" <AnindyaTCS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C4D0C51B-A21A-41A8-949F-0D1908730C81@xxxxxxxxxxxxxxxx
Thanks a lot Joe for this useful information. I would like to ask
you
one
more question, which is in a different topic.
We have some applications, written in non microsoft languages like
Java,
Perl, Cold fusion. Those applications use active directory to
authenticate
their users. Those applications are accessing AD through the AD LDAP
interface. Could this applications be called as windows NT token
based
applications in terms of ADFS? Is it possible to make these
applications
SSO
enabled using ADFS? Apologize for my ignorance, but we really need
this
information.
"Joe Kaplan" wrote:
That isn't a bad scenario for the forest trust option. I generally
like
to
establish the federation trust with certificates rather than via a
forest
trust as I think it is more "pure", but since you are already have
the
forest trust in place, it isn't so bad. What I don't like about it
is
that
it requires more connectivity between the two forests than you
really
need
in federation and it can make certain things more complicated in
Windows/token auth situations since the foreign domain SIDs can be
used
as
well.
I wouldn't worry about it to much though.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Anindya_TCS" <AnindyaTCS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:A6A28D23-33B4-4979-8801-168B8B6DF26F@xxxxxxxxxxxxxxxx
Thanks for your reply Joe.
We have chosen Federated SSO with Forest trust, because we have
some
token
based applications written in ASP an we need to give access to
both
internet
users and intranet users.The applications(Resources) are deployed
in
external
domain located at DMZ . We have 2 active directory domains in
same
organization . The external domain contains the external user
credentials
and
the internal AD contains the employees credentials. Our scenario
suits
exactly with the diagram for Federated SSO with Forest
trust(published
on
technet site as well as in the ADFS help file). Could you please
let
us
know
if we are choosing the wrong scenario?
"Joe Kaplan" wrote:
Why are you doing web sso with forest trust out of curiosity?
Regarding the DNS requirements, it all depends on where the web
browsers
that will access those resources are. If the browsers are on
the
public
internet, then the DNS entries for the resources will need to be
external/public and the web sites will need to be public facing
as
well.
However, it is possible that some browsers may only access
certain
components from within their own organization on their private
network,
so
the DNS registration for those resources could be internal.
The key thing to understand is that the browser will need access
to:
- The web app being federated
- The resource FS that protects the above mentioned app
- The account FS that they log in to if they do not log in via
an
account
store on the resource FS
So, drawing a picture of those components and the potential
locations
of
the
browser clients will make the DNS requirements more obvious.
In some cases when using the proxy, you want the proxy and the
FS
to
have
the same DNS name, but the proxy is registered externally and
the
FS
is
registered internally. This way, clients on the public internet
will
get
the proxy when directed to the FS host name, but clients inside
the
firewall
will get the FS directly.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Anindya_TCS" <AnindyaTCS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:EE6D5109-D8CB-468B-A85E-E2F10CBFA626@xxxxxxxxxxxxxxxx
Hello,
I am going to configure Federated web sso with forest trust
for
one
of
my
Web resource.
I have two ADFS server and two ADFS server proxy.
Can any one please tell me what is the requirement for domain
name
registration?
Both account and resouce domain name should be published to
internet?
.
- Follow-Ups:
- References:
- Prev by Date: Re: OU Extract
- Next by Date: Re: DNS help in AD
- Previous by thread: Re: Domain registration requirement in federated web sso with fore
- Next by thread: Re: Domain registration requirement in federated web sso with fore
- Index(es):
Relevant Pages
|
