locked
Single Sign-on with smartermail. RRS feed

  • Question

  • Hi,

    My organization want to setup single sign-on with couple of applications one is smarter mail and another is .net based intranet portal.

    Smarter mail has its own capability to connect with Active directory and provide authentication to windows users

    .net based application is a concept of intranet application and support windows authentication, once user logs in to intranet portal he will have his email and other application links over there where he suppose to redirected with his login information and no need to sign-in again.

    Back-end is Primary domain controller (PDC) and ADC, ADFS 3.0 is installed on ADC, Web application proxy is installed on separate server. Adfs IDP url is working on public internet.

    I have added ADFS certificates to Intranet application (IApp) and vise versa, Now issue occuers when I install and run WIF utility on Iapp it alters web.config file of Iapp. WIF utility adds piece of code in the begening of webconfig which results in signing loop at portal login window. Also it removes default signing page and call windows login security dilogue box. and same happens with smartmail email server.

    Here I need suggestion, how to add a application trust to ADFS 3.0 which is having inbuilt windows authentication.

     

    Tuesday, March 14, 2017 6:11 AM

All replies

  • If you want to publish this application externally, you can create a Non Claim Aware relying party trust and publish the application with WAP. In that case nothing to do at the application level. So you still have the good old SSO on premises and you have a webform if you want to access the app from the Internet. Is that what you would like to do?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, March 14, 2017 12:50 PM
  • The behaviour you document - changes to web.config, loss of internal login page etc. are exactly what WIF is supposed to do.

    WIF by default forces you to the ADFS login page.

    The normal reason for the loop is because of the WIF trailing slash issue. There needs to be one in your identifier.

    As @Pierre says, publish a non-claims app.

    Tuesday, March 14, 2017 5:56 PM
  • Thanks Pierre,

    That is exactly what I want to do, basically both applications "User portal" and "Smarter mail" having ability to authenticate with Active directory server. So, I dont want to disturb anything at application level.

    Altogether we want when user logs in to "User portal" with his domain credentials; he will find few 2-3 links button inside the portal. Web-Mail will be one of the link where he/she can go without a need of entering credentials again. This suppose to work from intranet or extra-net.

    Scenarion in Brief-

    • PDC, ADC, WAP, Webmail (4 servers) on Windows server 2012 R2 standard
    • PDC Roles- Active Directory Users and computers, DNS, GC
    • ADC Roles- Active directory, ADFS3.0, Web Server, Certifying Authority ;configured as an additional domain controller.
    • WAP Roles- Web server, Remote access (Joined PDC's Domain), WAP installed and published ADFS url- all endpoints working correctly,  same server is hosting a .net web application "user Portal"
    • Webmail Server- Web Server, Joined PDC's Domain and hosted a .net application "smarter mail" which provides webmail and chat service.

    All above server's are in same subnet, "user portal" is in DMZ on public IP.

    Let me know if you need more information. Would appreciate if you help me shearing more information on non claim aware party trust.

     

    Wednesday, March 15, 2017 9:10 AM
  • Hi,

    But if WIF alter's "web.config" of my webmail server then user can login to to the portal but he will see only error on page as the application will get confuse and unable to Identify what it suppose to do. I have tried that as well.

    So looking for any alternate solution.

    Wednesday, March 15, 2017 9:14 AM