Hello Anwar,
On Wed, 2018-03-28 at 14:53 +0100, Anwar Mahmood wrote:
> [apologies for multiple replies; using the web interface which
> doesn't show previous messages]
>
> With regards to...
>
> However, I think what you are looking for is probably an immediate
> solution utilising ADFS. Peter raised a very good point about ADFS
> operating in a SAML federation, and our findings about ADFS in the UK
> federation can be found here [3], in short it's not suitable and as
> result we have very low numbers of ADFS entities (systems) registered
> in the UK federation, and one possibly or partially operating.
>
> ...yes, I saw those limitations. I have referred my Microsoft
> Account Manager to that page, and asked he refer it to Microsoft's AD
> FS product manager. If I hear anything, I will certainly share here!
Thanks for that, it's certainly good for you as users of Microsoft to
go back and report issues to them with their products.
>
> With regards to...
>
> "integration with ADFS whether that's SAML or"
>
> ...yes, that's exactly what I had in mind; are there any recipes out
> there? It's easy enough in AD FS; add the relying party using
> Shibboleth metadata. I don't know at the Shibboleth end. It's a
> little frustrating that there are two products, Shibboleth IdP and
> Shibboleth SP, different version tracks, but often online references
> don't specify which.
Usually pretty clear on the Shibboleth Wiki e.g. SHIB2 in the URL
relates to SP. You are not concerning yourself with the Shibboleth IdP
at this stage...
On the SP you need a <MetadataProvider in shibboleth2.xml to consume
your ADFS metadata. You use a url or local file, there's gotcha's with
both of those routes.
https://wiki.shibboleth.net/confluence/display/SHIB2/DSAddMetadata
Setup the <SSO element to use the entityID of your ADFS IdP
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO
Now I'm rapidly approaching the point where I will be out of clues, but
I hope that helps.
Cheers,
Jon
|