 |
 |
I think the discussion about ADFS in a SAML federation was more to do with using it instead of using Shibboleth. I would expect most of the issues would hang around it's inability to easily consume metadata for a whole host of SPs in an automated way. We have the same beef with Azure AD as a SAML IdP too. Effectively you have to apply each SPs metadata separately to a non gallery application. Fine for a handful of local apps (works well with, for example, our own Blackboard and SITS evision which we have authenticating there) but I wouldn't want to have to do it for a "federationfull". Well, we didn't have to do anything to get the Shibboleth IdP to authenticate against the Azure AD IdP apart from setup Azure for a new SP. But the SP was Overt and they sort out how to bridge _their_ IdPs authentication through their SP to us. I believe Abertay have done this themselves though, Alan (Hellier) are you listening to this conversation? Cheers Andy -----Original Message----- From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Anwar Mahmood Sent: 28 March 2018 14:54 To: [log in to unmask] Subject: Re: Shibboleth - External Authentication to AD FS? [apologies for multiple replies; using the web interface which doesn't show previous messages] With regards to... However, I think what you are looking for is probably an immediate solution utilising ADFS. Peter raised a very good point about ADFS operating in a SAML federation, and our findings about ADFS in the UK federation can be found here [3], in short it's not suitable and as result we have very low numbers of ADFS entities (systems) registered in the UK federation, and one possibly or partially operating. ...yes, I saw those limitations. I have referred my Microsoft Account Manager to that page, and asked he refer it to Microsoft's AD FS product manager. If I hear anything, I will certainly share here! With regards to... "integration with ADFS whether that's SAML or" ...yes, that's exactly what I had in mind; are there any recipes out there? It's easy enough in AD FS; add the relying party using Shibboleth metadata. I don't know at the Shibboleth end. It's a little frustrating that there are two products, Shibboleth IdP and Shibboleth SP, different version tracks, but often online references don't specify which. Kind regards, Anwar The University of Dundee is a registered Scottish Charity, No: SC015096