Can we implement SSO federation in ADFS using multiple relying parties?

Question

I have a setup where ADFS has multiple Service providers(SP) and ADFS acts as an Identity Provider using Active Directory as a Name ID store.

Now the scenario required is that the user follows the following steps: Step1: User tries to access the Application 1 and is redirected to the Identity Provider by the SP1 for authentication. Step2: After authentication the user is redirected back to the application along with a SAML response. Step3: Now the user wants to access the application 2 and the SP2 redirects the user to Idp but she does not want to be reauthenticated by the IDP. We want to setup Single Sign on so that user does not have to login multiple times.

Is there any way we can configure ADFS so as to build trust between SP's and there is no need for authentication? Perhaps there is some configuration to inform ADFS so as to not ask for credentials again?

I have ADFS2.1 on Windows Server R12 as my IDP and I have Oracle weblogic servers being leveraged as Service Providers. My applications are deployed on these weblogic servers.

Answer 1

I'm not experienced with using Oracle Weblogic as SP's, my experience is .NET and Windows Identify Framework. But, if you've setup a Relying Part Trust (RPT) in ADFS for each SP, after you've authenticated with ADFS for SP1, when you attempt to access SP2, if the SP redirects you to ADFS for authentication again, ADFS should recognize you've already authenticated (due to cookied access token) and issue you a SAML response specific to SP2, without an additional authentication taking place. In ADFS 3.0 (Windows Server 2012 R2), Multi-factor Authentication could be at play, so this would hold true if MFA is not involved.

Are you currently experiencing a second login prompt for SP2 after you've authenticated to SP1?

Answer 2

I found that when I enable an additional IDP, all re-authentications force again an IDP selection, loosing the normal SSO experience.