locked
ADFS application on the internet, ADFS proxy server question RRS feed

  • Question

  • We have an web service hosted on the internet that we are about to configure Single Sign On (SSO) for.  People access this web service from inside our corporate network as well as from home (outside our corporate network obviously).  

    Since the users can access this service from home, in order to provide a type of SSO, the users will have to be redirected to our ADFS proxy servers that we have sitting in our DMZ.  It won't be true SSO, as they will be prompted for their username/password (I'm assuming anyhow).  These ADFS proxy servers will then connect to the internal ADFS server and the internal ADFS server authenticates the user.  A HTTP post is then done from the proxy server to the web service. 

    Users also access this web service from inside our corporate LAN.  In this scenario the user accesses the claims aware web service and is redirected to the internal ADFS server, which authenticates the user.  In this scenario, true SSO will happen since the user already has a kerberos token.  A HTTP post is then done from the internal ADFS server to the web service.  

    If I have made any mistakes in the above 2 scenarios, please let me know. 

    My question is:  how does the web service know whether to redirect the user to the internal ADFS server, or to redirect to the proxy ADFS server?  Is this a setting that must exist within the web service?  Such as being aware of the subnet the user is coming from for instance, and redirecting to the proper ADFS server accordingly.  Or does the web service have to setup 2 separate websites for users, one for internal access and one for external?

    I'm a little muddy on ADFS proxies in general, as this is our first usage of them.  Thanks for any help. 


    • Edited by jadedpuppy Thursday, June 6, 2013 5:16 PM
    Thursday, June 6, 2013 5:15 PM

Answers

  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    Regarding ADFS-related issue, I suggest we seek help in ADFS forum. There you can get more effective suggestion by other experts who familiar with this topic. Your understanding is appreciated.

    http://social.msdn.microsoft.com/Forums/en/Geneva/

    Have a nice day.

    Regards

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    • Proposed as answer by Meinolf Weber Monday, June 10, 2013 12:21 PM
    • Marked as answer by 朱鸿文 Tuesday, June 11, 2013 2:26 AM
    Friday, June 7, 2013 2:31 AM