locked
Configuring multiple RPTs that authenticate through an IdP in a different forest RRS feed

  • Question

  • I have two different domains, A.NET and B.NET, both with ADFS, and because of security considerations I can't create a forest trust between them. B.NET needs to host 50+ Relying Party Trusts to SPs that authenticate users from the A.NET domain. 

    From what I understand, this would typically be done by creating a Claims Provider Trust from B.NET to A.NET and an RPT from A.NET to B.NET, and then an RPT to each SP in B.NET. Is this correct? Additionally, where are the claim rules handled? For example, do I need to configure claim rules for each RPT on B.NET ONLY, or do I need I also need to configure ALL of those claim rules on that one RPT in A.NET going to B.NET? If that's the case then I don't think this would work at all, since there's many claim rules that would wind up conflicting with each other. 

    Tuesday, June 5, 2018 10:12 PM

Answers

  • There are different type of rules, acceptance rules  are on the IDP level and issuance transformation rules at the RP level.

    So let say you have user alice@a.net accessing an application (application B) federated with an ADFS farm of b.net (and assuming a.net ADFS is a claim provider trust on b.net) we will have the following config:

    A.NET ADFS
    Relying Party Trust: B.NET ADFS
    Claim Provider Trust: A.NET AD

    B.NET ADFS
    Claim Provider Trust: B.NET AD
    Claim Provider Trust: A.NET ADFS
    Relying Party Trust: Application B

    The user connect to Application B and get redirected to B.NET ADFS.
    The user is prompted with the Home Realm Discovery (you can customize this experience by passing it for local users, for specific applications etc...)
    The user is redirected to A.NET (because it chose to at the previous HRD page)
    The user authenticates with its local AD, we process the acceptance rules of the AD Claim Provider Trust in A.NET.
    Then we process the issuance transformation rules of the RP B.NET ADFS on A.NET ADFS.
    Then we get redirected to B.NET ADFS and process the acceptance rules of the A.NET ADFS Claim Provider Trust on B.NET. And finally we process the issuance transformation rules of the RP Application B.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by J Scott_ Monday, June 11, 2018 3:19 PM
    Monday, June 11, 2018 1:47 PM

All replies

  • There are different type of rules, acceptance rules  are on the IDP level and issuance transformation rules at the RP level.

    So let say you have user alice@a.net accessing an application (application B) federated with an ADFS farm of b.net (and assuming a.net ADFS is a claim provider trust on b.net) we will have the following config:

    A.NET ADFS
    Relying Party Trust: B.NET ADFS
    Claim Provider Trust: A.NET AD

    B.NET ADFS
    Claim Provider Trust: B.NET AD
    Claim Provider Trust: A.NET ADFS
    Relying Party Trust: Application B

    The user connect to Application B and get redirected to B.NET ADFS.
    The user is prompted with the Home Realm Discovery (you can customize this experience by passing it for local users, for specific applications etc...)
    The user is redirected to A.NET (because it chose to at the previous HRD page)
    The user authenticates with its local AD, we process the acceptance rules of the AD Claim Provider Trust in A.NET.
    Then we process the issuance transformation rules of the RP B.NET ADFS on A.NET ADFS.
    Then we get redirected to B.NET ADFS and process the acceptance rules of the A.NET ADFS Claim Provider Trust on B.NET. And finally we process the issuance transformation rules of the RP Application B.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by J Scott_ Monday, June 11, 2018 3:19 PM
    Monday, June 11, 2018 1:47 PM
  • Thanks for the insight Pierre, this is very helpful! 
    Monday, June 11, 2018 3:22 PM
  • I have a follow up question to this regarding the Acceptance Transform Rules. The default AD Claims Provider Trust includes a number of pre-configured rules for various attributes to be passed through, such as Windows account name, Name, and UPN. However I have claim rules to pass through attributes (e.g. "initials" or "telephone number") that do not exist in the list of Acceptance Transform Rules, and those work just fine. 

    Would the Claims Provider Trust in A.NET ADFS to B.NET ADFS work the same way? If I configure that to have the same Acceptance Transform Rules the default AD Claims Provider Trust has, should other attributes such as "initials" also be passed through if there's a claim rule for that in an Relying Party Trust or would I need to add a new Acceptance Transform Rule specifically for "initials"? 

    Thanks,

    James

    Monday, June 11, 2018 10:08 PM