Sharing ADFS authentication across multiple domains

1
votes

I have a set of applications that could possibly be hosted under different domains or as sub-domains of a common domain.

All of these applications will authenticate against the same ADFS service.

I want my application to automatically login, if another application has authenticated with the same ADFS service.

For example, you only need to login into google once, and then if you visit any of their application sites ( Gmail / Google Drive / Google+ ), you are automatically logged into the application.

Hence, let's say we have an ADFS service ADFS_AUTH_SERVICE.

Application Website1 authenticates with ADFS_AUTH_SERVICE.

User visits Website2 which is also configured to authenticate with ADFS_AUTH_SERVICE .

Hence, when user visits Website2 he should be automatically logged in.

UPDATE: For more clarity, following is the sequence that is currently occuring:

1. User enters http://site1/Home

2. User is redirected to the online Microsoft ADFS authentication page.

3. User enters his details and successfully authenticates with ADFS service and is redirected to http://site1/Home

4. User's name is visible on http://site1/Home.

5. User clicks on a link in site1 that takes him to http://site2/Home

Expected Result: User's name should be visible on site2/Home

Actual Result: User is redirected to the ADFS login page.

1
asp.netws-federation

1 Answers

0
votes

This is how ADFS works. What I believe is your issue is that you have to understand that all three applications maintain their own authentications independently:

  • WebSite1
  • WebSite2
  • ADFS

If you already have implemented a flow where WebSite1 forces users to be authenticated in ADFS then you have following situation:

  • WebSite1 (already authenticated)
  • WebSite2 (not yet authenticated)
  • ADFS (already authenticated)

In order to automatically authenticate users in WebSite2, you just have to force the authentiation flow by requiring authorization on all possible requests which would be

 <authorization>
     <deny users="?" />
     <allow users="*" />
 </authorization>

for WebForms or

 [Authorize]

for MVC.

This way the WebSite2 that always required authentication will redirect to ADFS and ADFS will automatically redirect back, since the user is already authenticated there.

Unfortunately there is no magic flow to check if user is authenticated. All you can do is to initiate the passive (browser-based) flow. Note that if the user is not authenticated in ADFS in advance, the ADFS will ask the user for her credentials.