* Anwar Mahmood <[log in to unmask]> [2018-03-27 18:20]:
> AD FS offers integrated ("invisble") authentication; Shibboleth
> requires explicit authentication.
If you mean SSO from the desktop on a domain-joined machine that's
certainly possible with the Shib IDP:
https://wiki.shibboleth.net/confluence/display/IDP30/SPNEGOAuthnConfiguration
> We have lots of external service providers connected with Shibboleth.
> Can I...
> 1. Add Shibboleth as a relying party to AD FS.
> 2. Configure Shibboleth to use AD FS as an identity provider
Those both mean the exact same thing. And yes, that's possible. You'd
have to add a SAML SP (likely the Shibboleth SP) in front of the IDP
as an HTTP reverse proxy and configure the IDP to accept REMOTE_USER.
> ...so that
> • external relying party|service provider continues to send user to Shibboleth
> • Shibboleth redirects [anonymous] users to AD FS for authentication
> • AD FS authenticates (transparently on organisational devices)
> • AD FS then redirects the browser back to Shibboleth
> • Shibboleth adds any claims it needs for the external relying party
> • Shibboleth redirects the browser back to the external relying party|service provider
Yes. Note all of the above is possible -- including the "transparent
authentication on organisational devices" with just the Shibboleth
IDP.
> IdPAuthExternal - Shibboleth 2 - Shibboleth Wiki
> https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthExternal
Wrong documentation, IDPv2 is dead.
> I can’t write code!
Wrong documentation, that's meant for something else.
> IdPAuthRemoteUser - Shibboleth 2 - Shibboleth Wiki
> https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthRemoteUser
Correct (current) is
https://wiki.shibboleth.net/confluence/display/IDP30/RemoteUserAuthnConfiguration
> But the page doesn’t really provide a full solution.
It documents the pieces that relate to the Shibboleth IDP.
The rest is up to the deployer. (Short version: Put the java servlet
container running the Shibboleth IDP behind Apache httpd and connect
them with mod_proxy_ajp. Add the Shib SP and protect the path
/idp/Authn/RemoteUser on the IDP with the SP. Configure the SP as SAML
SP/RP to your MS-ADFS IDP.)
> Long term, we should move service providers directly to AD FS. And
> we will, where possible. This is an intermediate fix.
So you'll stop participating in the UKfederation and internationally
(via eduGAIN)? I wasn't aware MS-ADFS could interop (without lots of
kludges and hacks) and make scalable policy decisions (e.g. REFEDS R&S
attribute release).
-peter
|