Home Library Formazione Code Download Supporto Community Forums
Microsoft Developer Network >
how do I induce ACS to pass on a required auth context to an ID provide (e.g. ADFS)

Proposed Answer how do I induce ACS to pass on a required auth context to an ID provide (e.g. ADFS)

  • domenica 26 giugno 2011 04:55
     
     
    Registrati per votare
    0

    Normally, we invite ADFS to negotiate the user authentication mechanism by sending a request of (wauth) form:

     

    https://.../adfs/ls/
    ?wa=wsignin1.0
    & wtrealm=https://.../adfs/
    & wauth=urn:oasis:names:tc:SAML:1.0:am:password\urn:ietf:rfc:2246
    &wct=2011-02-02T21:55:27Z
    & wctx=97fbd7ba-7e61-44e3-abdf-6dd428633204

     

    If I send a request to ACS similarly, will it pass on the ADFS IDP (say) the wauth requirement?

     

Tutte le risposte

  • venerdì 1 luglio 2011 16:21
    Proprietario
     
     Risposta suggerita
    Registrati per votare
    0

    The ACS team suggested that it the above invite will not work as it is. In order to troubleshoot this further with you we will have to write some code and this will take time. From a support perspective this is really beyond what we can do here in the forums. If you cannot determine your answer here or on your own, consider opening a support case with us. Visit this link to see the various support options that are available to better meet your needs:  https://support.microsoft.com/oas/default.aspx?&c1=501&gprid=14928&&st=1&wfxredirect=1&sd=gn .

    --Trevor H.
    Send files to Hotmail.com: "MS_TREVORH"
     
  • venerdì 1 luglio 2011 18:52
     
     
    Registrati per votare
    0
    ACS will not pass wauth through to the identity provider. If your scenario requires this, you can use the ACS custom login page and manually add this parameter to your ADFS login URLs.
     
  • venerdì 15 luglio 2011 16:23
     
     
    Registrati per votare
    0
    Once you passed the WRAP to ACS, it need not contact the IP STS. It will validate the context and supply the SWT token back. Only for passive request scenario, ACS talks to the ADFS; that too re-routing through the calling client. No security breach can happen here.
    • Modificato Seetha_ venerdì 15 luglio 2011 16:33 spell error
    •  
     
  • venerdì 11 novembre 2011 21:23
     
     
    Registrati per votare
    0

    I assume folks means use the ACS initiating URI (suggested by "login pages") that induces ACS to send a request to the IDP, handle the response, and send an unsolicited response bearing an assertion to the SP.

    This is fine when the SP is a WIF Webapp. Ill assume its fine when ADFS is the relying party, too.

    Unfortunately, our SP is PingFederate (in ws-fedp mode). It doesnt support unsolicited responses, over ws-fedp.

    (It always suprised me that ACS so prominently suggested the use of of unsolicited flows.)

    pingFederate has a similar problem to "ACS and wauth", in that it cannot forward whr provided on its "login page" initiating URI to ACS (in order to direct which IDP to be used). I can add it to the ACS "login page" URI of course, but hit the same issue as above - the resulting unsolicited response.

    I dont think there is an answer.

     

     
© 2013 Microsoft. Tutti i diritti riservati.
|
Commenti e suggerimenti sul sito