Hello Anwar,

This is Jon Agland from the UK federation team at Jisc.

I note that you have raised a ticket with us (via [log in to unmask]), and will send a brief reply to you from that. However, I'm going to respond on the list as in the hope that it will be beneficial....

Hopefully the replies from Peter, Andy, and Rod will have helped you a great deal. Much of what you require is out of scope what we can support on the UK federation service desk.

You may find that you can get further help on this list, or on the Shibboleth users list, which is now a community list [1]

You may get more support from the Shibboleth team/developers by joining the Shibboleth Consortium [2], Jisc itself is a member, but end organisations would need to become members in their own right to get support from the team.

However, I think what you are looking for is probably an immediate solution utilising ADFS. Peter raised a very good point about ADFS operating in a SAML federation, and our findings about ADFS in the UK federation can be found here [3], in short it's not suitable and as result we have very low numbers of ADFS entities (systems) registered in the UK federation, and one possibly or partially operating.

So the answer is to keep a SAML IdP registered in the UK federation running Shibboleth or OpenAthens, and then to integrate that either directly with Active Directory using SPengo or via an integration with ADFS whether that's SAML or whether that's put it behind an SP and using remote user. If you go that route of putting behind an SP, I suspect you need a separate webserver i.e. Apache in front of your Java servlet container i.e. Tomcat (I'm not sure if it work with Jetty as the container or not?).

My thoughts there are assuming you would be setting up in a development/testing environment first, then you get an SP setup, exchange metadata with and authenticate using ADFS, then to separately get the IdP working (potentially on the same host). Once your happy that the IdP is working then you look at integrating the two i.e. using remote user. I note that you only have one IdP registered in the UK federation, so you may want to register [4] another "hidden/testing" one when you get to that stage...

There are a few third parties that offer these sorts of services built into an IdP that can operate in the - Overt Software offer a Shibboleth ADFS Bridge which Andy has already mentioned [5] or Eduserv/OpenAthens offer an ADFS Connector - [6]

We can see that quite a few organisations are taking both these services or have done the integration themselves, but all we see in terms of the UK federation is the respective Shibboleth or OpenAthens Identity providers and not ADFS.

I hope this is useful to you.

Kind regards,

Jon

[1] https://www.shibboleth.net/community/lists/

[2] https://www.shibboleth.net/consortium/

[3] https://www.ukfederation.org.uk/content/Documents/ADFS

[4] https://www.ukfederation.org.uk/content/Documents/Registration

[5] https://www.overtsoftware.com/adfs-shibboleth-bridge/

[6] https://openathens.org/for-it-teams/our-software/

Jon Agland
Principal UK federation technical support specialist
Jisc
T 02038198207
M 07443984222
Skype jon_agland
Twitter @jon_agland
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

jisc.ac.uk
ukfederation.org.uk
 
Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT
No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower
Hill, Bristol, BS2 0JA. T 0203 697 5800.
 
Jisc Services Limited is a wholly owned Jisc subsidiary and a company
limited by guarantee which is registered in England under company
number 2881024, VAT number GB 197 0632 86. The registered office is:
One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.