ADFS 2.0 IDP-Initiated SSO

2
votes

I am attempting to set up a test configuration for IdentityProvider-Initiated SSO using ADFS 2.0 as my RP STS and a SAML 2.0 identity provider. Here is my set up:

Identity Provider - SAML 2.0 token issuing website using the ComponentSpace SAML v2.0 .NET plugin.

RP STS - ADFS 2.0 instance with an RP trust relationship with my asp.net application.

RP Application - ASP.NET web application (WIF) with an STS reference to my ADFS 2.0 STS.

So what happens is that the user logs into the Identity Provider website and is authenticated. They are then given a link to the RP STS. This link (from what I understand) should use RelayState to tell the RP STS which application the user needs to be forwarded to. I know I need to create some kind of trust between ADFS and my IP web portal, but I don't know what that might be. My issue is I can't find any good resources for instructions on how to do this. Most of what I find assumes that ADFS is also the Identity Provider and is configured as a SAML 2.0 endpoint. Is what I'm trying to do impossible or am I just not finding the right resources?

Thanks!

2
asp.netsingle-sign-onadfs2.0saml-2.0ws-federation
You will find this SAML online help page has some information regarding Idp-intiated. ultimate saml has several examples demonstrating Idp-initiated SSO.alexey

2 Answers

1
votes

You need to set up a Claims Provider trust on ADFS pointing to your Identity Provider. On your Identity Provider, set up an RP trust back to ADFS.

Also the ASP.NET web application needs to use ADFS as it's STS.

And the claims need to be set as pass through.

Refer : ADFS 2.0 By Example - Part1: ADFS as IP-STS and R-STS

Update:

On the IP side, that's their problem. On your side, configure the trust manually.

Refer: ADFS : SAML configuration parameters.

These questions relate directly to the input parameters.

You need to export the ADFS token signing key (no need to export the private key) and send that to them. They need to send you their certificate. Once you have set up the trust manually, click on the certificate tab and import their certificate.

0
votes

few months ago i had asked this question :

  1. We have created a test site where we have used form-authentication technique to authenticate any user, It requires an authentication token to authorize any user on application.
  2. So for creating this token we have to communicate with the Identity provider (IP) to get authenticated user details.
  3. For communicating with the IP server we have used SAML protocol to send and receive requests and responses.
  4. IP already provided us their end point details and certificate which is required to send and receive the SAML Packet.
  5. We have also sent our End points, certificate and claim rules so that they can configure our test site with their ADFS server as a relying party.
  6. As the result of all this we are able to redirect an anonymous access on our site to their ADFS server in the form of a SAML request.
  7. They are also able to process it and sending us response with all details of user like name, username, email etc.
  8. We have used third party .dll to generate and process the SAML request, the name is : ComponentSpace (http://www.componentspace.com/).