Wednesday, December 09, 2015

ADFS : Federating two instances of ADFS

This is a common scenario. One ADFS is the CP and one is the RP.

This is using ADFS 3.0.

The authentication flow is:

Application --> ADFS RP-STS --> ADFS CP --> Authenticate

The RP-STS indicates that the flow is just passing through this.

The federation is done in the usual manner by importing the metadata.

For convenience, we'll use ADFSR for the R-STS instance and ADFSC for the CP instance.

For ADFSC, ADFSR is configured as a RP.

For ADFSR, ADFSC is configured as a CP. This means that ADFSC will appear on the HRD screen of ADFSR.

Looking at the ADFSC tabs as configured on ADFSR:

The Identifier is http://adfsc/adfs/services/trust

The Certificate is the ADFS Signing certificate for ADFSC

The Encryption is the ADFS Encryption certificate for ADFSC

The Endpoints are:
  • ADFSC WS-Fed Passive Endpoints
  • ADFSC SAML Artifact Resolution Endpoints
  • ADFSC SAML SSO Endpoints
  • ADFSC SAML Logout Endpoints

Looking at the ADFSR tabs as configured on ADFSC:

The Identifiers are:

Some http://adfsr/adfs/services/trust/13 and http://adfsr/adfs/services/trust/2005

The Signature is the ADFS Signing certificate for ADFSR

The Encryption is the ADFS Encryption certificate for ADFSR

The Endpoints are:
  • ADFSR WS-Fed Passive Endpoints
  • ADFSR SAML Artifact Resolution Endpoints
  • ADFSR SAML SSO Endpoints
  • ADFSR SAML Logout Endpoints

No comments: