Exposing federation metadata to public when enterprise AD in private network RRS feed

  • Question

  • Hi,

    We are doing some Azure POCs for an enterprise. One of our requirement is to host a Web Role in Azure with SSO capabilities with enterprise AD. As per my understanding, if we want to consume in Azure applications, the ADFS server must be exposed to public and the fedaration metadata must be accessable thro' internet.

    But as per company policy, all the servers including AD, ADFS will not be exposed to public. At anycost company is not willing to expose any server to public. So we are facing issue to find a suitable solution for SSO.

    Please let me know how to solve this issue implementing ADFS in on-premise server which does not exposed public.

    Currently we had proposed some alternative solutions:

    1. Running Azure connect with ADFS and Web role. So ADFS server is possible for particular Web role.

    2. Created a WCF Service and exposed using Service Bus. The public endpoint can be consumable in Web role. 

    Friday, July 22, 2011 9:30 AM


All replies

  • ADFS includes a proxy. The proxy sits in the DMZ and talks to the internal ADFS. The proxy also exposes the metadata.
    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Friday, July 22, 2011 10:02 AM
  • If all of your users are sitting within your internal network, ADFS nor AD need to be accessible from the public (as long as both ADFS and Azure are accessible from the user's browser).  The metadata can be saved locally and there doesn't have to be any direct communication between ADFS and Azure.

    Developer Security MVP | www.steveonsecurity.com
    Friday, July 22, 2011 3:42 PM
  • Hi Dominick Baier,

    Thanks for your reply.

    If we are using Proxy server and it is in DMZ, will it possible to access the metadata from public. Could you please guide me where to start exploring more on this.

    It will be very useful if any link or guide for the same.

    Many Thanks,

    Thirumalai M

    Friday, July 22, 2011 6:43 PM
  • Yep - the metadata can be retrieved from your public proxy.


    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Saturday, July 23, 2011 7:36 AM
  • Hi Dominick,


    Thanks for providing this useful solution. I will explore more on this from the link and come back to you.


    Many Thanks, Thirumalai M

    Sunday, July 24, 2011 8:41 AM