0

A client would like to set up SSO from their domain to my hosted website. They have suggested using ADFS. I have a single server hosting ADUC, ADFS and IIS in, let's say, fs.mydomain.com which is hosting a website which needs to keep track of logged in users. The client will be logging in from an internet connected PC on a different domain. ADFS Claims X-Ray says that it is working properly. Their federationmetadata.xml points to Office365.

All of the videos, technotes, etc. I have seen stop at ADFS is working. Or they are how to connect your PC to their ADFS. I can't seem to find anything on configuring IIS. I thus have a couple of questions.

  1. How do I configure ADFS for their domain? I added the federationdata.xml to Relying Trust and it shows up as an option to log into from idpinitiated.htm. When I select it and try to log in, it asks for my Microsoft365 login. It tries to process it, and seems to get almost there but eventually throws an error. SOmething like "File not found in folder".

  2. How do I configure the website/IIS to look to ADFS for signon?

  3. Then get ADFS to redirect back to the website?

  • for point #1 about "tries to login and throws an error". Use the SAML-tracer or panel for Chrome to see details...this can also help: https://blog.matrixpost.net/analyse-ad-fs-saml-claims-with-fiddler/ – TheCleaner Sep 29 '22 at 15:35
  • Do you already have IIS integrated with your own ADFS IDP for logging in users? It’s important to know. Because typically you would integrate your app with your own IDP which is used with all of your “internal” users. You would then “federate” external domains with your own IDP. In essence, IIS looks one place (to your IDP) and your IDP knows how to check with other external IDPs as necessary and depending on the username. You would not federate IIS with an external client ADFS as you are then putting full trust in their IDP and also stuck using only their IDP. – Appleoddity Sep 29 '22 at 15:39
  • So, you have two steps. First, federate IIS authentication with your own IDP (ADFS) for all logins. Next, federate specific usernames (email domains) in your IDP with the external IDP. – Appleoddity Sep 29 '22 at 15:41

0 Answers0