Directory Programming .NET

Hi,

I'm wandering,  how does a claim aware adfs agent know where the logon page is located? In the web.config the location of the federation service is configured (asmx). This is the location of the adfs server. But when the logon page is stored on a adfs proxy the agent will redirect the user to the logon page of the proxy not to the adfs server. How does the agent know where the proxy is located?

Thanks,

René 

It calls a method on the web service that provides this configuration data to it. That is also how it determines what the token signing certificates are so that it knows whether it should accepted a signed SAML token provided by the user or not.

In Geneva, it is different.  The configuration is provided locally when the app is set up so the app is then more "stand alone" than an ADFS app.

Is it possible that there is more then one proxy? I thought it was. I think you can set up a proxy for intranet users and one for extranet for example. If so, how does the agent know which one to use?

Thanks,

Rné 

The agent cannot use the proxy because the proxy does not have the federationserverservice.asmx endpoint on it.  This (and forms auth) are the primary differences between the FS and the FS-P. 

The proxy is used only by the web browser when the user is redirected to log in, so it is basically driven by DNS and how IP addresses are resolved.  If the browser is redirected https://fed.domain.com/adfs/ls/ and the host name fed.domain.com resolves to the IP address of a proxy, then the proxy will be used.

If the agent resolves the endpoint for the FS service to the proxy and not to the actual FS, it will just fail since the request to the web service will get a 404.

I'm sorry it's still not clear to me.

Two more questions: 

1. So it's not possible to have multiple proxies and configure that application A uses proxy 1 and application B proxy 2?

2. You stated the following If the browser is redirected https://fed.domain.com/adfs/ls/ and the host name fed.domain.com resolves to the IP address of a proxy, then the proxy will be used. How can I configure this? In my current setup I use forms authentication using the adfs server (by copying the forms authentication clientlogon.aspx to adfs/ls to the adfs server). Now the browser is redirected to this url. Let's say I want to change this tomorrow and use a proxy. The clientlogon.aspx on the adfs server will not be used then I assume. The clientlogon.aspx of the proxy should be used instead. But how does adfs know about this change? Will this take place when I setup a proxy? Will the proxy tell adfs to redirect browsers to this proxy instead of adfs.

Thanks,

René

You can't configure this is ADFS, you can only configure this in your DNS system.  As such, your options may be limited.

For question 1, this isn't possible per say with the same FS infrastructure as the FS endpoint used is a matter of the client and what it's DNS server tells it, not what the app does.  If app A and B both use the same FS which has the an endpoint host name of fed.domain.com and If client A resolves fed.domain.com to a proxy then it will use the same proxy for both apps.

The whole point of the proxy is for it to be able to "stand in" for the FS for the browser client so that you can deploy the proxy on the public internet and not be concerned about having the FS federation server service exposed publicly.  It also allows it such that you can have "IWA" auth inside the firewall against the regular FS and forms auth outside the firewall on the public internet.

Maybe your concept of what the proxy is supposed to be is different from intended and therefore you are confused.  Perhaps you could explain what it is you are trying to do instead.

Thanks Joe.

It's hard for me to understand probably because I'm a developer and not a infrastructure specials.

I think I do understand it now. The following link also helped me:

http://technet.microsoft.com/en-us/library/cc728467(WS.10).aspx

In my own words: when a browser requests an adfs enabled website, the browser is redirected to a logon page, this is a url (which includes a dns name). Ok, thats's clear.

When I connect to an adfs enabled website in the intranet I will get a link to the logon page on the adfs server. When I connect to an adfs enabled website for the same organisation from the internet I will get the same link to the logon page but this time the DNS name could be resolved to another server, for example a proxy server.

Not sure if this makes it more clear to anybody, for me it does at least ;-)

Regards,

René

Yes, you understand it, at least as far as the intended deployment approach for the proxy component.  It all depends very much of having two different DNS servers, one for internal network and one for external network, that have different entries for the same host name for the federation server.

It can be a little hard to understand, but the important thing is that it is all based on the DNS system.