locked
ADFS 2016 - Claims Provider Trust to external IdP RRS feed

  • Question

  • I have the Following Scenario:

    A Client from one Company, in this case the Identity Provider (IdP) tries to access a webapp of the second Company, the Service Provider (SP). The Authentication happened between those two ADFS Servers using AD Groups of IdP.

    Do I have to create a Claims Provider Trust on SP's ADFS Server (red) with the IdP's ADFS Server for example by running the following script?

    $ATR= @"
      @RuleTemplate = "MapClaims"
      @RuleName = "GroupsTranformed"
      c:[Type == "http://schemas.xmlsoap.org/claims/Group"]
       => issue(Type = "http://schemas.xmlsoap.org/claims/Group", Issuer = c.Issuer, 
      OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
    "@
    
    Add-AdfsClaimsProviderTrust `
    -Name "CPT to IDP" `
    -MetadataURL "https://adfs01.Company1.com/federationmetadata/2007-06/federationmetadata.xml"`
    -AcceptanceTransformRules $ATR
    I have a lab and the access works by creating this trust but I will be sure that this is no misconfiguration.

    Wednesday, October 18, 2017 7:25 AM

Answers

  • Yes  that's the normal way to do this.

    • Marked as answer by 1.FreddyD Thursday, October 19, 2017 4:34 AM
    Wednesday, October 18, 2017 6:06 PM
  • Agree with nzpcmad1.

    Just add the metadata from the ADFS in one Company as Claims Provider Trust and the metadata of the other ADFS as Relying Party Trust on the other server.

    ADFS metadata has per default both IDPSSODescriptor and SPSSODescriptor. 

    /jocke

    • Marked as answer by 1.FreddyD Thursday, October 19, 2017 4:34 AM
    Wednesday, October 18, 2017 8:44 PM

All replies

  • Yes  that's the normal way to do this.

    • Marked as answer by 1.FreddyD Thursday, October 19, 2017 4:34 AM
    Wednesday, October 18, 2017 6:06 PM
  • Agree with nzpcmad1.

    Just add the metadata from the ADFS in one Company as Claims Provider Trust and the metadata of the other ADFS as Relying Party Trust on the other server.

    ADFS metadata has per default both IDPSSODescriptor and SPSSODescriptor. 

    /jocke

    • Marked as answer by 1.FreddyD Thursday, October 19, 2017 4:34 AM
    Wednesday, October 18, 2017 8:44 PM