none
SP initiated SSO Flowchart diagram

    Question

  • I need to create a flow chart diagram to give clients and colleagues a better visual understanding of what happens in the background of an SP initiated SSO connection.

    In this case I am the Idp using ADFS 2.0 and my relying party is using Ping Federate. We are using email address as a claim.

    Please could I ask you good folks to help, confirm or adjust the following process of what happens?

    1. User clicks a link provided by relying party (Ping Federate) which directs them to the relying party SSO server/webpage/ ?

    2. Relying party server/ ? sends an assertion/claim to Idp server (ADFS). (Is this a SAML token?)

    3. *This is where I really need help* ADFS contacts an Active Directory server to validate the incoming claim. It then signs the SAML token and sends it back to the relying party server. Is that right??

    4. Client is authenicated and is directed to resource.

    I know there is room for improvement in that flow so I'd be grateful for any additions, corrections or comments.

    Thank you.

    Monday, April 04, 2011 11:02 AM

Answers

  • The rough flow is like this

    1. use clicks a logon link

    2. redirect to ADFS

    3. redirect to Ping (which is a claims provider registered in ADFS)

    4. Authenticate with Ping

    5. Pings sends SAML token to ADFS

    6. ADFS validates and parses the token - and resigns it. Here the claims rules run as well

    7. SAML token goes back to RP

    8. RP validates and parses the token and turns it into an IClaimsPrincipal

     


    Dominick Baier | thinktecture | http://www.leastprivilege.com
    • Marked as answer by Piley Wednesday, April 27, 2011 7:49 PM
    Monday, April 04, 2011 12:13 PM

All replies

  • The rough flow is like this

    1. use clicks a logon link

    2. redirect to ADFS

    3. redirect to Ping (which is a claims provider registered in ADFS)

    4. Authenticate with Ping

    5. Pings sends SAML token to ADFS

    6. ADFS validates and parses the token - and resigns it. Here the claims rules run as well

    7. SAML token goes back to RP

    8. RP validates and parses the token and turns it into an IClaimsPrincipal

     


    Dominick Baier | thinktecture | http://www.leastprivilege.com
    • Marked as answer by Piley Wednesday, April 27, 2011 7:49 PM
    Monday, April 04, 2011 12:13 PM
  • The rough flow is like this

    1. use clicks a logon link

    2. redirect to ADFS

    3. redirect to Ping (which is a claims provider registered in ADFS)

    4. Authenticate with Ping

    5. Pings sends SAML token to ADFS

    6. ADFS validates and parses the token - and resigns it. Here the claims rules run as well

    7. SAML token goes back to RP

    8. RP validates and parses the token and turns it into an IClaimsPrincipal

     


    Dominick Baier | thinktecture | http://www.leastprivilege.com


    Thank you Dominick, very helpful and much appreciated.

    Just to check, the link to start the SSO to our relying party looks like this:

    https://RELYING-PARTY-URL/sp/startSSO.ping?PartnerIdpId=http://OUR-ADFS-SERVER/adfs/services/trust&TargetResource=https://Relying-Party-Resource-We-Want-To-Access

    Are you saying our users first redirect to our ADFS server and then to ping? Looking at the link I'm thinking they first connect to Ping who redirects to our ADFS server?

    Sorry to be a pain, just want to be sure I understand it correctly.

    Monday, April 04, 2011 12:22 PM
  • Thats possible as well - i haven't used Ping in that situation. In that case it might be different.

    The flow i am describing is used with WS-Fed and the home realm parameter.


    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Monday, April 04, 2011 12:34 PM
  • Thanks again.

    We are using WS-Fed too.

    Not sure about the home realm parameter you mention.

    Monday, April 04, 2011 1:51 PM
  • Hi Piley,

    I have an issue with my platform based on ADFS and Ping federated. 

    Ping federated is used as an IDP, ADFS is used as an SP.

    Also ADFS is used as an IDP for MOOS 2010 server. 

    the use case of the infrastructure is an SP initiated mode. 

    the following flowchart show the different steps of a simple connection:

     

    1. User launches the URL of the site on SharePoint Server 

    2. He is redirect to ADFS server and chooses the IDP Ping 

    3. ADFs redirect him to Ping IDP (which is a claim provider registered in ADFS)

    4. Ping authenticates the user and redirected him to ADFS server

    5. ADFS validates and parses the token - and resigns it.

    7. User is then redirected to the Site on MOOS 2010. A trust relationship is established between ADFS and MOOS 2010

    8. User can access to the site. 

    I have a problem on the step 4. Thereby when the user is redirected to ADFS server with "Ping federated" SAML assertion, he is directly redirected to adfs/ls//IdpInitiatedSignOn.aspx and not to the URL of the site. On adfs/ls//IdpInitiatedSignOn.aspx page ADFS post me a message who say that I'm already connected and I need to choose the web site I want to access (the Relaying Party Trusts). 

    When I choose the MOOS 2010 site, I'm redirected to Ping which redirect me to the same URL adfs/ls//IdpInitiatedSignOn.aspx endlessly repeated.

    I take a look at ADFS logs and I see no warnings or errors, also for SharePoint 2010 logs there are no warnings or errors

    Did you have ny idea to fix these that so i can access to the site.

    Thank you in advance for your help,

     

    Tuesday, April 05, 2011 9:54 AM
  • Interesting situation.

    Are you using SAML or WS-Federation? I'm assuming SAML as you mention the sign in page.

    I do know that passing of relay state data in IDP initiated mode using SAML does not work. But in your case you are saying it's SP initiated so it should be ok.

    What does your connection link look like?

    Something like //ADFSSERVER/adfs/ls//IdpInitiatedSignOn ? You should be able to by pass the sign in page by adding adding some parameters (I need to look it up again). Let me think of some other suggestions but hopefully someone else will have something more helpful to post.

     

    Piley

    Tuesday, April 05, 2011 10:16 AM
  • Thanks Piley,

    First I'm using SAML protocol. Also My connection link look like configure on Ping federated is IDP is https://ADFS-Server-Name/adfs/ls

    witch mean once the authentication on Ping IDP success, Ping delever a SAML claim to the user and then redirect him to https://ADFS-Server-Name/adfs/ls. In addition I'm in SP initiated mode so ADFS record my target URL (a specific identifier for each user is created every time a user try to access a ressource protected by an SP server) and just wait user to return back with a valid assertion from his IDP (Ping IDP in this case).

     

    What make me confuse in this use-case is that ADFS don't show in warning or error message (Note: I configure ADFS in Max debug log)

     

    Thanks for your help,

    Ilyass

    Tuesday, April 05, 2011 12:03 PM
  • Hi Piley,

    I revert to you regarding my letter post to know if you had any further information about the sujet.

    Thanks in advance,

    Ilyass

    Tuesday, May 31, 2011 2:04 PM
  • Hi Ilyass

    Sorry for the delay in replying, I have been away.

    Unfortunately I don't have an answer for you. My only guess is that someonthing is configured incorrectly on the ADFS server.

    I hope you can solve the problem.

    Piley


    IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.
    Monday, June 06, 2011 2:06 PM