locked
Question about redirects RRS feed

  • Question

  • We have a partner that is trying to setup SSO with us.

    I've setup the relying party trust so we can initiate a login successfully.

    What we're trying to do is set it up so when we hit their site we get redirected back for authentication and then get forwarded back to the site logged in.

    I am wondering what I am missing here.


    http://www.365unity.com

    Tuesday, April 19, 2016 7:29 PM

Answers

  • If you hit the URL, ADFS can do the authentication in two ways

    IDP is you (Identity Provider)

    SP is your Partner (Service Provider)

    1. It would do an IDP Authentication that is both You and your Partner support relayState (for ADFS 2.0 Rollup update 2.0 and change in the webconfig) and ADFS 2.1 and upwards changes in the config file in c:\Windows\ADFS\

    IDP -> SP ->App For SAML apps this is recommended

    2. You can do an SP-Intiated Authentication

    SP -> IDP->SP->APP , if your app is Ws-fed it can work provided HomeRealmDiscovery is enabled

    Thursday, June 30, 2016 8:52 AM

All replies

  • I guess if you think you are missing something, it is that something doesn't work as expected. Can you give us some details about what you have done exactly and what does not work?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, April 19, 2016 11:21 PM
  • Oh man if I had a penny...

    Do you get any error from ADFS ?

    Do you get any error from the Service Provider/Partner?

    How far does it actually work? My best advice it learn how to use Fiddler :-)

    Using Fiddler while trying to access your partners web site will show if they are generating a proper RST (Request for Security Token) to your ADFS and if your ADFS successfully handles that RST and creates a SAML Token and redirects/POSTs the SAML Token via the browser back to the SP.

    Friday, April 22, 2016 6:48 PM
  • If you hit the URL, ADFS can do the authentication in two ways

    IDP is you (Identity Provider)

    SP is your Partner (Service Provider)

    1. It would do an IDP Authentication that is both You and your Partner support relayState (for ADFS 2.0 Rollup update 2.0 and change in the webconfig) and ADFS 2.1 and upwards changes in the config file in c:\Windows\ADFS\

    IDP -> SP ->App For SAML apps this is recommended

    2. You can do an SP-Intiated Authentication

    SP -> IDP->SP->APP , if your app is Ws-fed it can work provided HomeRealmDiscovery is enabled

    Thursday, June 30, 2016 8:52 AM