I think the discussion about ADFS in a SAML federation was more to do with using it instead of using Shibboleth. I would expect most of the issues would hang around it's inability to easily consume metadata for a whole host of SPs in an automated way. We have the same beef with Azure AD as a SAML IdP too. Effectively you have to apply each SPs metadata separately to a non gallery application. Fine for a handful of local apps (works well with, for example, our own Blackboard and SITS evision which we have authenticating there) but I wouldn't want to have to do it for a "federationfull".
Well, we didn't have to do anything to get the Shibboleth IdP to authenticate against the Azure AD IdP apart from setup Azure for a new SP. But the SP was Overt and they sort out how to bridge _their_ IdPs authentication through their SP to us.
I believe Abertay have done this themselves though, Alan (Hellier) are you listening to this conversation?
Cheers
Andy
-----Original Message-----
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Anwar Mahmood
Sent: 28 March 2018 14:54
To: [log in to unmask]
Subject: Re: Shibboleth - External Authentication to AD FS?
[apologies for multiple replies; using the web interface which doesn't show previous messages]
With regards to...
However, I think what you are looking for is probably an immediate solution utilising ADFS. Peter raised a very good point about ADFS operating in a SAML federation, and our findings about ADFS in the UK federation can be found here [3], in short it's not suitable and as result we have very low numbers of ADFS entities (systems) registered in the UK federation, and one possibly or partially operating.
...yes, I saw those limitations. I have referred my Microsoft Account Manager to that page, and asked he refer it to Microsoft's AD FS product manager. If I hear anything, I will certainly share here!
With regards to...
"integration with ADFS whether that's SAML or"
...yes, that's exactly what I had in mind; are there any recipes out there? It's easy enough in AD FS; add the relying party using Shibboleth metadata. I don't know at the Shibboleth end. It's a little frustrating that there are two products, Shibboleth IdP and Shibboleth SP, different version tracks, but often online references don't specify which.
Kind regards,
Anwar
The University of Dundee is a registered Scottish Charity, No: SC015096
|