locked
ADFS + WIF + IdP-Initiated a dealbreaker? RRS feed

  • Question

  • We were hoping to use ADFS with our WIF-based web application but there appears to be a serious deficiency.

    Our configuration is the highly recommended:

    IdP's <-> FP (ADFS) <-> RP

    where the RP is our application (WIF/WS-Federation) and we have many IdP's (our customers) using various SAML products.

    ADFS works marvelously in the RP-initiated Web SSO protocol.

    However, if I understand the dozen or so postings in this forum, ADFS does not work at all in this configuration with the IdP-initiated protocol.

    So, ADFS is a total non-starter for us unless we are able to insist ALL of our customers use RP-initiated.

    Is this correct?

    Bill

    Monday, November 22, 2010 11:05 PM

Answers

  • Hi Bill

    • modify IdpInitiatedSignOn.aspx to look for a RP-hint parameter
      Yes, but they may want to stuff it in the RelayState.... (talk with your IdP).
    • (and include a whr parameter).
      Indeed and don't forget to copy it from the HTTP request to the response (being the WS-fed request) going to the ADFS2 server (ADFS1 agent was automagic, WIF is programming in RedirectToIdentityProvider event).
    • turn a IdP-initiated scenario into an RP-initiated scenario
      Yes, neat trick isn't it? :-)  They (the SAML2 IdP) *have* to support it!
    • (And wouldn't work for a SAML1.1-only IdP)
      Correct, ADFS2 cannot talk with pre-SAML2 IdP. ADFS2 can only talk SAML2 protocol. But the older IdPs can sometimes talk WS-fed... Anyway, even without this, a pre-SAML2 IdP should at least consider going to SAML2.....
    • Also, I still don't know if this is an ADFS limitation, or if our WIF app will have the same limitation with ALL Federation Provider products
      Hmmmm, I was trying to dodge that one. In some environments this is a touchy topic. You insist, so you'll have to deal with any flack :-)
      WIF is WS-fed, so yes your app will always have it. But I don't consider it a limitation. Open-ID has the same (I guess all??). Many people are moving away from IdP initiated, because that scheme also has limitations/draw-backs.....

    Cheers, Paul.

    • Marked as answer by BillOverman Thursday, December 2, 2010 11:02 PM
    Thursday, December 2, 2010 8:28 PM

All replies

  • Bad news: WS-Federation does not support IDP-Init SSO.  Only SP-Init.  If you want to do IdP Init, then you have to use SAML.
    Sid Sidner, Community Evangelist, Ping Identity
    Tuesday, November 30, 2010 3:22 PM
  • So, is the problem solely with WS-Federation, or is the problem ADFS-specific?

    For example, when Ping is used in a Federation Provider role, with a different IdP and a WS-Federation SP, can the IdP initiate an SSO session to the SP without popping up a "choose SP" dialog? (for completeness, say there are two SP's).

    Wednesday, December 1, 2010 10:08 PM
  • Bill,

    I am not answering your question to Sid.

    Answer to your original question: you can make it work without questions being asked.
    Take a very good look at http://social.msdn.microsoft.com/Forums/en/Geneva/thread/af6dc3dc-d24a-48de-a83e-b173af2a7e6f Where Colin explains the way to do it.  (I had to read it several times too when I had my first encounter with this, but it does work).

    Trying to say the same as Colin, but with different words.
    WS-fed (passive) doesn't support IP initaited (period), just like some of the other protocols. SP initiated support is mandatory in SAML 2.
    The trick to make it work is: When the IdP sends a SAML token (and arrives at the ADFS server), then initiate the SP initiated proces by redirecting to the SP. When it comes back at the ADFS server, then issue request to SAML2 IdP, which will have cashed the credentials and reIssue a token without questions. In cases with my clients they usually drop the IdP initiated because it is not very advantageous under SAML 2 (it was common under first SAML versions).

    Paul Lemmers

    Thursday, December 2, 2010 3:10 PM
  •  

    Paul,

    I had read that thread a dozen times also. There are a number of solutions suggested there, all of which sounded quite complicated.

    It sounds like what you are saying (and what seems quite reasonable) is to modify IdpInitiatedSignOn.aspx to look for a RP-hint parameter, and if found, simply redirect to the specified RP (and include a whr parameter).

    If this works (and if I understand correctly), it would effectively turn a IdP-initiated scenario into an RP-initiated scenario (and cost one more redirect than a true RP-initiated scenario).

    Seems too easy. (And wouldn't work for a SAML1.1-only IdP?)

    Also, I still don't know if this is an ADFS limitation, or if our WIF app will have the same limitation with ALL Federation Provider products.

    Thanks,
    Bill

     

    Thursday, December 2, 2010 6:32 PM
  • Hi Bill

    • modify IdpInitiatedSignOn.aspx to look for a RP-hint parameter
      Yes, but they may want to stuff it in the RelayState.... (talk with your IdP).
    • (and include a whr parameter).
      Indeed and don't forget to copy it from the HTTP request to the response (being the WS-fed request) going to the ADFS2 server (ADFS1 agent was automagic, WIF is programming in RedirectToIdentityProvider event).
    • turn a IdP-initiated scenario into an RP-initiated scenario
      Yes, neat trick isn't it? :-)  They (the SAML2 IdP) *have* to support it!
    • (And wouldn't work for a SAML1.1-only IdP)
      Correct, ADFS2 cannot talk with pre-SAML2 IdP. ADFS2 can only talk SAML2 protocol. But the older IdPs can sometimes talk WS-fed... Anyway, even without this, a pre-SAML2 IdP should at least consider going to SAML2.....
    • Also, I still don't know if this is an ADFS limitation, or if our WIF app will have the same limitation with ALL Federation Provider products
      Hmmmm, I was trying to dodge that one. In some environments this is a touchy topic. You insist, so you'll have to deal with any flack :-)
      WIF is WS-fed, so yes your app will always have it. But I don't consider it a limitation. Open-ID has the same (I guess all??). Many people are moving away from IdP initiated, because that scheme also has limitations/draw-backs.....

    Cheers, Paul.

    • Marked as answer by BillOverman Thursday, December 2, 2010 11:02 PM
    Thursday, December 2, 2010 8:28 PM
  • Thanks Paul. Great discussion. I spent quite a few hours trying to get to this level of knowledge. Hope it helps someone else also.

    Bill

    Thursday, December 2, 2010 11:05 PM
  • Can you provide an example of a modified IdpInitiatedSignOn.aspx file that looks for the RP hint? I am trying to do IDP initiated sign on using Windows Server 2012 R2 & ADFS 3.0, but whenever I attempt to login from the /adfs/ls/idpiniatedsignon.htm page I never see the RelayState parameter get appended thus resulting in an authentication error. Using SP initiated login works perfectly fine every time, so I know that ADFS is able to auth my user and that communication with the relying party is good. I found the RelayState URL generator, but out of all the resources I have looked up online none of them tell me where to add this URL. Do I need to install the IIS rewrite URL module and manually rewrite it to contain the RelayState parameter?
    Saturday, January 23, 2016 9:35 PM
  • As far as I know, for AD FS 3.0, Microsoft only allow to modify the onload.js.
    Thursday, January 28, 2016 2:11 AM