locked
WAP and Pass Through Authentication RRS feed

Answers

  • If the application is a SaaS application, you don't really need to publish it. I mean by essence, unless you are the SaaS application provider here, the SaaS application is hosted somewhere on the cloud.

    The only URL that needs to be available on the WAP is the endpoint for ADFS authentication (and that is by default published with WAP no action required else that just installing the WAP - which will act as an ADFS Proxy). The user connects to the SaaS, gets redirected to the ADFS URL (published through the WAP). And here you go. Or do I miss something obvious here? 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by IT2B Monday, August 29, 2016 8:19 PM
    Monday, August 29, 2016 6:36 PM
  • Hi IT2B,

    That's correct. The WAP is an AD FS Proxy out-of-the-box. You don't need to publish anything on the WAP for the SaaS application in question.


    http://blog.auth360.net


    • Edited by Mylo Monday, August 29, 2016 7:28 PM
    • Marked as answer by IT2B Monday, August 29, 2016 8:19 PM
    Monday, August 29, 2016 7:28 PM

All replies

  • I am not sure I understand everything there...

    Direct Access has nothing to do with ADFS.
    WAP has nothing to do with Direct Access.

    If you do not WAP to make your ADFS available on the internet, the replacement has to stick to the following specs: http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5bMS-ADFSPIP%5d.pdf if not you will loose functionalities such as:

    • Authentication policies based on the user's location (without a MS-ADFSIP compliant proxy, all connexion will look like they are coming from internal clients, so no granularities such as SSO for internal clients and FBA for external clients, nor abilities to trigger MFA based on the location of the client)
    • Extranet Lockout Policies to prevent password discovery attack from the internet
    • Publishing non-claim aware applications externally

    Now, maybe the replacement you'll opt for has those options, but why would you pay for something you already own :)


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, August 26, 2016 2:30 PM
  • I am trying to get clarity from Citrix on the proposed pass though solution. I'd rather them set it up according to their documentation on the proper way to be a Reverse Proxy for ADFS.

    If I went with WAP instead of the NetScaler, is using Pass Through authentication a secure solution? Remember, my goal is simply to do SSO with outside SAAS solutions.

    Friday, August 26, 2016 3:23 PM
  • From understanding of various solutions such as Netscaler, Kemp etc. they're not registering with the AD FS server as a genuine federation proxy (a la the MS-ADFSPIP documentation that Pierre links to), so I don't consider the functionality they provide as like-for-like in AD FS terms. Until we see products conform at that level of integration, my preference and recommendation is to use the WAP.


    http://blog.auth360.net


    • Edited by Mylo Sunday, August 28, 2016 4:55 PM
    Sunday, August 28, 2016 4:44 PM
  • OK. Say I went with WAP then.  Do I understand Pass through authentication on the WAP server is secure to meet the needs of doing claims based SSO with a SAAS provider?

    Plan to Publish Applications using Pass-through Preauthentication
    https://technet.microsoft.com/en-us/library/dn383655(v=ws.11).aspx


    • Edited by IT2B Monday, August 29, 2016 2:13 PM
    Monday, August 29, 2016 2:12 PM
  • If the application is a SaaS application, you don't really need to publish it. I mean by essence, unless you are the SaaS application provider here, the SaaS application is hosted somewhere on the cloud.

    The only URL that needs to be available on the WAP is the endpoint for ADFS authentication (and that is by default published with WAP no action required else that just installing the WAP - which will act as an ADFS Proxy). The user connects to the SaaS, gets redirected to the ADFS URL (published through the WAP). And here you go. Or do I miss something obvious here? 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by IT2B Monday, August 29, 2016 8:19 PM
    Monday, August 29, 2016 6:36 PM
  • I think you hit it. "The user connects to the SaaS, gets redirected to the ADFS URL (published through the WAP). And here you go. "

    In my example, we want to do SSO with some SAAS providers.

    1. My user would connect to the SaaS URL
    2. The request gets redirected to my ADFS URL
    3. The WAP would receive the request and send the request to my internal ADFS server (using Pass through) for authentication.

    If I understand you, in my scenario, that's all I need. No need for AD FS Pre-authentication on the WAP.

    Monday, August 29, 2016 7:01 PM
  • Hi IT2B,

    That's correct. The WAP is an AD FS Proxy out-of-the-box. You don't need to publish anything on the WAP for the SaaS application in question.


    http://blog.auth360.net


    • Edited by Mylo Monday, August 29, 2016 7:28 PM
    • Marked as answer by IT2B Monday, August 29, 2016 8:19 PM
    Monday, August 29, 2016 7:28 PM
  • Great. Thanks for answering my questions.
    Monday, August 29, 2016 8:18 PM