Directory Programming .NET

Hi,

we have succesfully setup ADFS to support SSO over multiple domains (www.comany.com, www.comany, www.comany.de, ...) for .Net applications in our organization for external users.

Now we also like to support SAP.

Does anyone have any experience in doing this? Since SAML is an open standard which is supported by SAP or the underlying OS we think this shouldn't be too hard.

Note: we only need SSO, we don't need federation of claims and we don't have any partner organization. MS and SAP can use the same ADFS server.

 

Thanks

I'm still struggling with this internally as well. 

The core problem as I understand it right now is that SAP supports SAML, but uses the SAML protocol to implement this.  ADFS uses WS-Federation Passive Requester Profile (fed/passive) for the protocol and SAP (from what I've seen) cannot natively generate a fed/passive logon request or accept a fed/passive logon.

I'm hoping SAP will eventually support fed/passive in the portal/CE environment at some point.  Alternately, Geneva server will (as I understand it) support enough SAML 2 by the time it ships that this will be more straightforward.

I'm pretty sure you can do this with third party tools like PingFederate from PingIdentity, but I don't know if you'd want to incur that additional expense and complexity.

Joe, thanks for your response. There's a product called Shibboleth which is open source I think. It looks like it tries to bridge different SSO/SAML technologies. Do you have any experiences with this?

http://www.terena.org/activities/eurocamp/november07/slides/caju-SAP-Shib-integration.pdf

http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=0EBC0F18-C8F5-4699-AA36-5B6562448912&displaylang=en

http://www.windows-hied.org/Conf2006/Schmidt_ADFS.ppt

Thanks,

René

Shibboleth works well with ADFS.  We've integrated it twice with my production ADFS system at work.  I'm not sure if it has a good solution that will integrate with SAP or not though.  It can certainly be a resource partner/RP to ADFS in the account/IDP role, so if SAP can work with Shib as an RP, it should be very possible.

There's also a product called IAG 2007. This is a reverse proxy server (maybe the successor of ISA?). The link below shows it supports ADFS and SAML.

http://blogs.technet.com/extreme/archive/2007/05/30/forefront-iag-2007-sp1.aspx

Unfortunately the official site doesn’t mention ADFS and SAML: http://www.microsoft.com/forefront/edgesecurity/iag/en/us/overview.aspx

Did MS drop ADFS and SAML support from IAG?

Thanks,

René

I actually have no idea what the story here is with IAG.  The other trick with reverse proxies is that they must work with the app behind them.  In the case of SAP, you still need to get a SAP login ticket generated somehow.