Directory Programming .NET

Hi,

We have successfully installed and configure ADFS (token app) to acces our web application.  The problem is that one of our partner don't want to implement ADFS on his side.

Is there a white paper available on how to implement/configure/generate the saml 1.1 token etc. in a way to be compatible with ADFS?

The objective is to provide them the requirement of ADFS, so they can come up with their own solution.

Thanks

ADFS does not require ADFS on the other side, it just requires something that implements the WS-Federation Passive Requester Profile (or "Fed-Passive" as it is often called).  There are many different products and open source solutions out there that also support Fed-Passive. 

MS has a few interop guides for some of the different products out there.  I'm not sure if there is a comprehensive list of available options or not. 

Do you have any idea what your partner would want to implement given a choice?  I recommend staying away from having them code a custom solution to implement the protocol from scratch.

No, I don't know what they want to implement.  I'll check over the internet for WS-Federation Passive Requester Profile or "Fed-Passiv" for further infos.

Thanks

From a product perspective, there are offerings from Oracle, IBM, RSA, Ping Identity, Symlabs, Sun and CA that support fed passive that I can think of off the top of my head.  From the open source perspective, Shibboleth and Sun's Open SSO are both good options out there.

If your partner is not a Microsoft shop, then one of the other offerings may be a better fit for them.  If they ARE a Microsoft shop, then ADFS is very hard to beat on cost and ease of use and deployment.

One other thing to keep in mind while you pondering this is that in federated scenarios with external partners and token-based applications, you'll need to come up with some sort of account mapping strategy (either shadow accounts or shadow groups).  This can complicate your usage model considerably.  It is generally best to use claims-aware applications in this use case if there is a way you can make that happen.

Joe,

In fact, it is a Microsoft shop. But they prefer to implement something more "open".

Thanks.

Well, they have lots of options.  Most of the other vendors also support the SAML protocols as well as the WS-Fed protocols, so they get broader protocol support.  However, unless they go from Shibboleth or OpenSSO, they are going to spend at least one if not several orders of magnitude more money for the privilege of doing that and will spend a lot more time getting it working. 

If their web guys do a lot of Apache or other non-IIS web server stuff, then they'll probably be ok, but otherwise they may struggle.  Not sure what to say here, but I can understand the perspective.  Until there is more shakeout in the protocol space and all the servers can talk to each other equally, there is still differentiation of the various products based on the protocols they support.

Thanks Joe.

I appreciate your comments.

André