0

I've done an exhaustive search over the past 2 days trying to find answers to all my questions and I believe I've hit a wall here. I sincerely apologize if this has been answered correctly elsewhere, perhaps I haven't been asking the right question(s). This question seems to come close to what we need, however it is referring to IdentityServer2 and we have been unable to find the same admin panel described in the video linked there.

Here is a very general overview of the scenario we'd like to achieve

  • User logs in on Organization A's webapp and gets authenticated via some STS against a SQL database.

  • User clicks a link on Organization A's webapp to make a jump over to Organization B's webapp

  • Organization B's ADFS server see's the token from STS and doesn't prompt the user for credentials, instead just allowing them to utilize Organization B's webapp

We'd like to just go with ADFS, however Organization A does not want to move their user information from SQL over to AD.

We've setup an ADFS server locally for testing and got it working with our local AD users. We'd like to utilize this to represent Organization B's ADFS server that would grant access to Organization B's webapp.

We've also got IdentityServer3 up and running locally and authenticating. This would represent Organization A's STS.

1) First and foremost...Is this possible?

2) Is this a reasonable architecture or are we going about this all wrong?

3) If possible & reasonable; What exactly do we need IdentityServer3 to provide to the partner's ADFS server?

Thanks in advance

Community
  • 1
  • 1
Daniel Fernandez
  • 3
  • 1

1 Answers1

0

Just to confirm - you want to federate ADFS and idsrv3?

Yes - it's possible - yes - it's reasonable - yes - lot's of people do it.

Refer a series of posts I wrote covering how to do this with a range of protocols.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • I think that's correct, I'm still shaky with terminology. I would like to setup idsrv3 as a STS for my organization that can send the appropriate token/claims to a partner organization's ADFS server. Thank you so much! This is incredibly helpful! – Daniel Fernandez Apr 28 '16 at 20:18
  • So I spent a good bit of time looking through your various posts (lots of good information here!) and I was hoping you could clarify something for me. [This](http://nzpcmad.blogspot.co.nz/2015/11/identityserver-federation-with-adfs.html) seems to be the closest to my scenario but not quite it (correct me if I'm wrong!) But in my scenario I would think I would want my webapp as the RP, IS as the IDP, and then IS as a trusted CP in our partner organizations ADFS? – Daniel Fernandez Apr 29 '16 at 13:10
  • Yes - ADFS is an RP to IS and IS is a CP to ADFS. The app. is a RP to ADFS. – rbrayb May 01 '16 at 18:56
  • Thanks again, you've been extremely helpful and we've been able to setup the relationship here locally for testing with your help! – Daniel Fernandez May 02 '16 at 13:13