0

Imagine an Intranet with many divisions inside a company like:

\Home

….\Division A

….\Division B

….\Division C

….\Division D

….\Division XXX

There are a lot of divisions – around 50. In essence, each division is essentially a separate web site.

Currently, WIA is used.

Now the company (which is Microsoft centric) wants to set up SSO with other organisations so they decide to install ADFS v2.

However, some divisions don’t like the idea.

If we FBUtil the web.config at the base level, then the whole site will be protected.

To protect some divisions and not others, I guess we could FBUtil the web.config at the division level for those that require ADFS but that rapidly becomes a maintenance nightmare because there are so many of them of them.

Is there a better way to allow ADFS across some divisions but leave some still authenticating as they do now.

MarnixKlooster ReinstateMonica
  • 9,640
  • 14
  • 54
  • 108
rbrayb
  • 46,440
  • 34
  • 114
  • 174

1 Answers1

1

You should be able to update only the root web.config, and use the <location> tag (e.g., <location path="DivisionC"><microsoft.identityModel>...</microsoft.identityModel></location>) to specify WIF-related information only for the divisions/sites which actually use WIF.

However, this still will lead to duplication in that root web.config; I don't know how to solve that, and that would be a different question. :-)

MarnixKlooster ReinstateMonica
  • 9,640
  • 14
  • 54
  • 108
  • Interesting approach! If you went this way, would the rest of the site still be able to use Windows Authentication? I've been approaching it the other way - using the Location tag to exempt certain divisions from WIF - but haven't had much joy. – rbrayb May 03 '12 at 19:11
  • Yes, if you only add a `` section to the root `web.config`, then only /X is influenced, and the others are not affected at all. – MarnixKlooster ReinstateMonica May 04 '12 at 04:09