domenica 26 giugno 2011 04:55
Normally, we invite ADFS to negotiate the user authentication mechanism by sending a request of (wauth) form:
If I send a request to ACS similarly, will it pass on the ADFS IDP (say) the wauth requirement?
Tutte le risposte
venerdì 1 luglio 2011 16:21Proprietario
The ACS team suggested that it the above invite will not work as it is. In order to troubleshoot this further with you we will have to write some code and this will take time. From a support perspective this is really beyond what we can do here in the forums. If you cannot determine your answer here or on your own, consider opening a support case with us. Visit this link to see the various support options that are available to better meet your needs: https://support.microsoft.com/oas/default.aspx?&c1=501&gprid=14928&&st=1&wfxredirect=1&sd=gn .
Send files to Hotmail.com: "MS_TREVORH"
- Proposto come risposta Trevor HancockMicrosoft Employee, Owner venerdì 1 luglio 2011 16:21
venerdì 1 luglio 2011 18:52ACS will not pass wauth through to the identity provider. If your scenario requires this, you can use the ACS custom login page and manually add this parameter to your ADFS login URLs.
venerdì 15 luglio 2011 16:23Once you passed the WRAP to ACS, it need not contact the IP STS. It will validate the context and supply the SWT token back. Only for passive request scenario, ACS talks to the ADFS; that too re-routing through the calling client. No security breach can happen here.
- Modificato Seetha_ venerdì 15 luglio 2011 16:33 spell error
venerdì 11 novembre 2011 21:23
I assume folks means use the ACS initiating URI (suggested by "login pages") that induces ACS to send a request to the IDP, handle the response, and send an unsolicited response bearing an assertion to the SP.
This is fine when the SP is a WIF Webapp. Ill assume its fine when ADFS is the relying party, too.
Unfortunately, our SP is PingFederate (in ws-fedp mode). It doesnt support unsolicited responses, over ws-fedp.
(It always suprised me that ACS so prominently suggested the use of of unsolicited flows.)
pingFederate has a similar problem to "ACS and wauth", in that it cannot forward whr provided on its "login page" initiating URI to ACS (in order to direct which IDP to be used). I can add it to the ACS "login page" URI of course, but hit the same issue as above - the resulting unsolicited response.
I dont think there is an answer.