0

In an ADFS RP-STS using ws-federation passive, can you redirect a user to an alternate URL, based on the value or existence of a claim, instead of sending them back to the relying party that they originally requested?

For example, if a user logs into the RP-STS and an email claim doesn't exist, can you redirect the user to a page (not on the same relying party) where they can enter their email address?

My current solution is to use a transform rule to detect the absence of the email address claim and issue a new claim called "http://mycompanyurl/claims/redirect" with a value of "http://mycompanyurl/getemail". I then pass that claim to every relying party and expect them to perform the redirect. The obvious disadvantage to this solution is that every relying party needs to implement custom code.

John Hansen
  • 123
  • 1
  • 11

1 Answers1

0

The trick with the pigeon could be to "always redirect to a man in the middle". That man (rather application), will do the necessary redirections based on the claims and return urls. As far as your applications are concerned this is the STS but it uses adfs to get a security token. It will probably re-sign that adfs security token too. We use this approach to implement "missing claims", "ip security token uniformization", "terms and condition versioning" etc ...

Willy Van den Driessche
  • 1,619
  • 15
  • 23
  • To ADFS, there would appear to be a single RP, right? Can you use the man in the middle approach without losing the (ADFS) ability to transform claims for each of the relying parties individually? Alternately, have you not found that to be a problem? – John Hansen May 07 '15 at 21:19
  • We use more than one IP. The man in the middle makes sure the claims coming from facebook, twitter, adfs, acs, custom user store etc are all "the same". From an adfs point of view, we have a single relying party (the man in the middle). Of course, you cannot use claims transformation per "second level" relying party. If you want that you have to reimplement it in the "man in the middle". But we don't find that to be a problem. We don't use these transforms (or ACS tranforms) because they are too basic for our needs and difficult to maintain for the 150+ RPs we have. – Willy Van den Driessche May 09 '15 at 09:39