Windows Azure Platform >
how do I induce ACS to pass on a required auth context to an ID provide (e.g. ADFS)

Proposed Answer how do I induce ACS to pass on a required auth context to an ID provide (e.g. ADFS)

  • Sunday, June 26, 2011 4:55 AM
     
     
    Sign In to Vote
    0

    Normally, we invite ADFS to negotiate the user authentication mechanism by sending a request of (wauth) form:

     

    https://.../adfs/ls/
    ?wa=wsignin1.0
    & wtrealm=https://.../adfs/
    & wauth=urn:oasis:names:tc:SAML:1.0:am:password\urn:ietf:rfc:2246
    &wct=2011-02-02T21:55:27Z
    & wctx=97fbd7ba-7e61-44e3-abdf-6dd428633204

     

    If I send a request to ACS similarly, will it pass on the ADFS IDP (say) the wauth requirement?

     

All Replies

  • Friday, July 01, 2011 4:21 PM
    Owner
     
     Proposed Answer
    Sign In to Vote
    0

    The ACS team suggested that it the above invite will not work as it is. In order to troubleshoot this further with you we will have to write some code and this will take time. From a support perspective this is really beyond what we can do here in the forums. If you cannot determine your answer here or on your own, consider opening a support case with us. Visit this link to see the various support options that are available to better meet your needs:  https://support.microsoft.com/oas/default.aspx?&c1=501&gprid=14928&&st=1&wfxredirect=1&sd=gn .

    --Trevor H.
    Send files to Hotmail.com: "MS_TREVORH"
     
  • Friday, July 01, 2011 6:52 PM
     
     
    Sign In to Vote
    0
    ACS will not pass wauth through to the identity provider. If your scenario requires this, you can use the ACS custom login page and manually add this parameter to your ADFS login URLs.
     
  • Friday, July 15, 2011 4:23 PM
     
     
    Sign In to Vote
    0
    Once you passed the WRAP to ACS, it need not contact the IP STS. It will validate the context and supply the SWT token back. Only for passive request scenario, ACS talks to the ADFS; that too re-routing through the calling client. No security breach can happen here.
    • Edited by Seetha_ Friday, July 15, 2011 4:33 PM spell error
    •  
     
  • Friday, November 11, 2011 9:23 PM
     
     
    Sign In to Vote
    0

    I assume folks means use the ACS initiating URI (suggested by "login pages") that induces ACS to send a request to the IDP, handle the response, and send an unsolicited response bearing an assertion to the SP.

    This is fine when the SP is a WIF Webapp. Ill assume its fine when ADFS is the relying party, too.

    Unfortunately, our SP is PingFederate (in ws-fedp mode). It doesnt support unsolicited responses, over ws-fedp.

    (It always suprised me that ACS so prominently suggested the use of of unsolicited flows.)

    pingFederate has a similar problem to "ACS and wauth", in that it cannot forward whr provided on its "login page" initiating URI to ACS (in order to direct which IDP to be used). I can add it to the ACS "login page" URI of course, but hit the same issue as above - the resulting unsolicited response.

    I dont think there is an answer.