Another cross-domain authentication question RRS feed

  • Question

  • OK,

    I have a scenario similar to:


    Domain A (External AD, external SSO requirements, external claims)

    ADFS 2 STS-A configured with Domain A and STS-B as Account Providers

    External RP's are configured to trust STS-A

    Domain B (Internal AD, internal SSO requirements, internal claims)

    ADFS 2 STS-B configured with Domain B as Account Provider and STS-B as RP.

    Internal RP's are configured to trust STS-B


    Desired Behavior:

    When a user accesses an external application, they should be re-directed to the authentication screen for STS-A (external STS). Because I cannot guarantee that an internal user has previously visited an SSO-protected site, I would lile the authentication screen for STS-A to attempt to automatically authenticate the user to STS-B (internal STS) using the kerberos token from their workstation. If this authentication fails or fails to produce a token that is recognized by STS-A, then I would like to show a forms-based login to the user. This login should first attempt to authenticate to STS-A and generate a token. If this fails, it should try the same username and password against STS-B. If the authentication to STS-B succeeds, then STS-B should issue a token to the user (TokenB) which can then be presented to STS-A. I would then like STS-A to look up that user in Domain A (external AD) and generate a list of claims based on the attributes in Domain A (TokenA) and then present that token back to the external application.

    When a user accesses an internal application, they should be redirected to the authentication screen for STS-B (internal STS) which should authenticate them using the kerberos token on their laptop. If that authentication fails, they should be prompted for credentials and authenticated agains Domain B (internal domain).

    I think I know how to take the claims in TokenB, look up the user in Domain A, and generate TokenA. My questions are about chaining the authentications together automatically.

    I have read the blog post here:


    About customizing the ADFS login screen. Their scenario would allow me to try and log the user into Domain B (internal) from STS-A, but I really want that to happen automatically based on the user's kerberos token and without the user having to press the button.

    Out of the box, the users who hit STS-A will be presented with a dropdown box asking them if they want to authenticate against Domain A or Domain B. Again, I would like to eliminate that step and have their internal credentials checked automatically.

    Thoughts on how to make this work?


    Thanks in advance.




    Wednesday, June 23, 2010 5:27 PM

All replies

  • Bump.

    Any thoughts on this problem and how to make it work?





    Wednesday, July 21, 2010 3:39 PM