Ping a Specific Port

Question

James Sumners

Asked: 2017-03-15 14:11:24 +0800 CST2017-03-15 14:11:24 +0800 CST 2017-03-15 14:11:24 +0800 CST

ADFS idP that first checks with another idP?

772

The authorization flow I'm trying to determine the possibility of is:

User goes to https://app.example.com/
app.example.com does not have a session for the user so it sends them to https://adfs.example.com
adfs.example.com does not have a session for the user
- user does not have a session
  1. adfs.example.com acts as a SP and asks https://notadfsidp.example.com for authentication
  2. user has a session with notadfsidp so the are sent back to adfs as authenticated and in turn to app as authenticated
- user has a session
  - user is redirected back to https://app.example.com as authenticated

Situation:

I have a "portal" that uses CAS to authenticate users. Due to circumstances beyond my control, the CAS server captures the user's credentials on login so that they can be used for SSO to various services (this is the wrench in the works). One, or more, of the services they can SSO to are backed by a local ADFS instance. Thus, the ideal situation is that when they go to one of those services the ADFS server can learn from the CAS server that they are logged in and the portal would not have to use their stored credentials to authenticate them with ADFS.

If the flow described above is not possible, is it possible to send the ADFS server some message that tells it the user authenticated elsewhere and they should get a session with the ADFS server?

Note: my knowledge of SAML is very limited and I have zero knowledge of administering an ADFS server (that's a coworker).

Edit #1: I need the authentication to be transparent. In other words, after the user has authenticated at notadfsidp any visit to adfs from app would not require the user to do anything.

2 Answers

Voted

rbrayb · Answer 1 · 2017-03-15T16:05:17+08:00

rbrayb

2017-03-15T16:05:17+08:002017-03-15T16:05:17+08:00

The way this works in practice is via Home Realm Discovery.

https://notadfsidp.example.com is configured as a claims provider on https://adfs.example.com.

When a user navigates to https://app.example.com/ they are redirected to https://adfs.example.com, They then see the HRD screen where they choose https://notadfsidp.example.com as the IDP. They authenticate there.

Because the app. trusts adfs.example.com and that trusts notadfsidp.example.com, the user is now authenticated.

1

Jimmy Sun · Answer 2 · 2017-03-16T02:11:52+08:00

Jimmy Sun

2017-03-16T02:11:52+08:002017-03-16T02:11:52+08:00

Firstly, the https://notadfsidp.example.com should also be an ADFS server and it acts as an IDP actually in your scenario.

ADFS server https://adfs.example.com will not automatically ask the other ADFS server for authentication. Users should manually choose the IDP (or called Claim Provider in ADFS world) via the Home Realm Discovery feature like below.

After the authentication completes, the user token will be cached in the browser cookies and ADFS so that the user will get SSO ability when he/she accesses the app again.

-1

ADFS idP that first checks with another idP?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?