none
ACS and SAML 2.0

    Question

  • I have not found ACS forum. This forum looks like the best match.
    We have been for a while integrated with ACS in order to allow our customers to use their provider to use their login/password. We successfully use it for our ASP.NET application. In this case our application asks ACS for login (WsFederation), ACS redirects prompt to customer ADFS login page and user gets authenticated. Now we have a new customer. The customer does not use ADFS from their site, but they use SAML 2.0 provider. What would be the easiest way to get integrated with customer’s SAML 2.0 provider?

    Monday, March 13, 2017 2:55 PM

All replies

  • FYI: ACS is deprecated - https://azure.microsoft.com/en-us/blog/important-announcements-regarding-the-access-control-service/

    The functionality of ACS is being gradually moved into Azure Active Directory.http://blogs.technet.com/b/ad/archive/2013/06/22/azure-active-directory-is-the-future-of-acs.aspx. Azure AD supports WS-Federation as well as SAML

    The following talks about the SAML protocol reference in Azure AD
    http://msdn.microsoft.com/en-us/library/azure/dn195591.aspx

    Tuesday, March 14, 2017 4:41 PM
    Moderator
  • I am not aware that ACS is deprecated already. I know that it will be and AAD will be a successor, but I have not found an official announcement yet.

    Would you confirm or decline following possibilities we have with current implementation and our new customer, please?

    Current state

    • Our ASP.NET application asks our ACS for authentication
    • Our ACS is configured to ask current customer ADFS
    • Customer shows ADFS login page
    • Authenticated

    Options for new customer:

    Our new customer has SAMPL IDP. Options we have for this new customer

    A.

    The same approach like with current –> do not host ADFS/ADD for them and let ACS ask directly our new customer SAML IDP. This however looks not to be possible. We can not configure and see such option in ACS configuration.

    Please confirm it is possible or not.

    B.

    Host AD for our new customer. Configure ADFS and rely to our new customer SAMPL IDP. In this case we have Active Directory, our ACS connects to it via WsFed and our ADFS then rely all authentications to SAML 2 provider. I am not sure if this option is feasible. Is it?

    C.

    In Azure AD case we would need to

    • host Azure AD for new customer
    • "replicate" all users from SAML provider to Azure AD
    • change our web application to use Azure AD rather than current ACS

    Correct?

    Thanks,

    Dalibor


    • Edited by zliecho Wednesday, March 15, 2017 12:28 PM
    Tuesday, March 14, 2017 4:51 PM
  • We dont have an official deprecation notice for ACS yet. However, we recommend moving to Azure AD for new development.

    For the Option A, have you tried to add the new customer’s ADFS as identity provider in ACS(https://msdn.microsoft.com/en-us/library/azure/gg185961.aspx).

    If this doesn’t work, I would recommend opening a new troubleshooting case(https://azure.microsoft.com/en-us/support/plans/developer/) to work directly with the support team.

    Friday, March 24, 2017 4:25 PM