On 29/03/18 09:52, Duncan Sinclair wrote:
> Andy, I don't think Alan reads this mailing list, but I do.
>
> We have integrated ADFS with the Shibboleth IdP, pretty much in the way that several people have discussed on the list already.
>
> Basic details:
>
> * Shibboleth is set up using Tomcat.
> * Apache is installed with Shibboleth SP.
> * Apache proxies /idp to Shibboleth IdP via ajp.
> * ADFS and the Shibboleth SP are set up with each other's metadata (there's a Python script out there called adfs2fed which makes this easier.)
> * Apache is configured to require Shibboleth authentication at /idp/Authn/RemoteUser.
> * Shibboleth IdP is configured to use REMOTE_USER for authentication.
> * Shibboleth IdP continues to use LDAP to fetch attributes in the normal manner.
>
> There's a few fiddly bits, but it works.
>
> Some things we haven't got working:
>
> * Logout is broken.
> * Forced authentication is broken.
The trick to getting forced authentication to work is to duplicate the
RemoteUser flows in the IdP and assign a new path to the forced
authentication flow. You can then get the SP to request forcedAuthn for
just that new path.
I had to do something similar for our SSO stack, and it's working
reasonably well.
--
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford
|