1

I have a custom STS made in WIF that works as an IDP and now I need to configure SSO to a Service Provider made in SimpleSamlPHP. (The SP only supports Post Binding and Web Browser SSO Profile.)

Any, idea on how should I approach this requirement? Does WIF support Post Binding and SAML 2.0?

Any idea will be greatly appreciated, Thanks!

Paul Sasik
  • 79,492
  • 20
  • 149
  • 189
Beelphegor
  • 226
  • 1
  • 12

2 Answers2

1

WIF has no restrictions on bindings, it is just a set of Apis that makes it easier to develop Idps and Spses. What people usually do is they implement redirect binding on the service provider and post binding on the identity provider - all books and tutorials I've read are like this. This means that the service provider should redirect to the identity provider with wa=wsignin1.0 and the identity provider responds with a form containing the token posted to the service provider.

However, I don't see any obvious reasons you would not be able to implement post bindings for both sides.

As far as I know, there is still no SAML2 protocol support for WIF apart from a ctp that hasn't been updated for ages. If your service needs saml2, you'd have to take a look at some commercial implementations, like the one from componentspace.

Wiktor Zychla
  • 47,367
  • 6
  • 74
  • 106
1

As per @Wiktor, there is no SAML support in WIF.

But you need the server side of the SAML stack not the client side.

Your best bet may be to put ADFS v2.0 in the middle and use it as a broker to provide the SAML support.

If you want SAML support, vote here.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • Could I put an ADFS2 as a relaying party of my CustomSTS, and redirect the SimpleSamlPHP SP to my ADFS2 instead to my CustomSTS? Supposing that I'm authenticated in my CustomSTS that would authenticate me in ADFS2 and then to SimpleSamlPHP. Is that what you mean by putting ADFS in the middle?? :) – Beelphegor Apr 04 '13 at 23:11
  • Yup - Your CustomSTS speaks WS-Fed to ADFS which speaks SAML to SimpleSamlPHP. So user navigates to SP, gets redirected to ADFS HRD (Home Realm Discovery) screen, chooses CustomSTS, authenticates and you are away. – rbrayb Apr 04 '13 at 23:22
  • Finally found the link - http://blog.auth360.net/2011/02/20/disable-local-authentication-in-ad-fs-2-0/ – rbrayb Apr 04 '13 at 23:40
  • In theory the SimpleSamlPHP site could consume WS-Federation right? I see that as a possible solution (supposing that they are willing to do that configuration). If not I will use the ADFSv2 broker approach. thank you very much!! :) – Beelphegor Apr 05 '13 at 16:41
  • Looking at their website, they support WS-Fed so that would be an option. But I suspect documentation etc. could be sparse? – rbrayb Apr 07 '13 at 18:58