| Author | Messages | |
Ravi.Sabharanjak@barclaysglobal.com
Posts:60
 | | 07/25/2008 2:05 AM |
| Hello all,
We've been trying to use ADFS to federate with service providers for
Internet based services. However we are finding that out of the 2
competing protocols (WS-Federation and SAML), Microsoft has chosen to
implement just the WS-Federation protocol in ADFS. Quite a few of our
vendors have implemented the SAML protocol and will not budge from it. I
was wondering if some company has developed an add-on to ADFS that will
enable it to speak the SAML protocol as well? If not, is there another
product out there that plays nicely with AD, but supports both - SAML
and WS-Federation?
Thanks,
-Ravi
--
This message and any attachments are confidential, proprietary, and may be privileged. If this message was misdirected, Barclays Global Investors (BGI) does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BGI, unless the author is authorized by BGI to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BGI. Although BGI operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| joe
Posts:74
| | 07/25/2008 2:07 AM |
| When we implement federation for SSO with a vendor-provided service, the
approach we usually use is to require support for WS-Federation. From my
perspective, if vendors want more customers, they can be the ones to support
more protocols.  This does not always work, but we've been pretty
successful with it.
If you are in the position of being the vendor or provider of the service
(RP), then it probably makes sense for you to implement both protocols as
well. In situations where it is a partnership across organizations and you
are really just working with another IT shop on the other end, then it is
all negotiable but I can see why someone wouldn't want to have to implement
both.
That said, you can't make ADFS V1 implement the SAML protocol. It only does
WS-Fed. There is no add on to it that will give you SAML, so you'll need
another product or framework to supply this. There are plenty of options,
depending on how much you want to pay and what sort of infrastructure you
are willing to implement. Most of the options out there will provide some
sort of integration with AD at the LDAP level. You'll likely lose some
features (perhaps integrated auth or SSL client cert auth, support for NT
token apps on the RP side, built in proxy, etc.), but you'll get something
that will probably work ok.
Options that support both protocols (as far as I know) include the products
from RSA, Oracle, Sun, IBM/Tivoli and Ping Identity (I'm sure there are
others). You could also look at some of the OS frameworks like Shibboleth
or OpenSSO OpenSSL (which has some sort of SAML support).
Note that if any of your partners use the above mentioned products, they may
have WS-Fed support already and just not have it enabled. We have a partner
in that exact same situation right now and are basically just waiting until
they add that piece and know how to support it.
I would not be surprised if we see some sort of SAML protocol support in
ADFS in the future, but Microsoft has no announced plans either way (they
don't even have an announced follow up product yet), so if you can't wait
around for something indefinite, you'll need a different option.
Good luck with whatever you do.
Joe K.
----- Original Message -----
From: "Sabharanjak, Ravi BGI SF" <Ravi.Sabharanjak@barclaysglobal.com>
To: <ActiveDir@mail.activedir.org>
Sent: Thursday, July 24, 2008 8:07 PM
Subject: [ActiveDir] Possible OT: SAML add-on to AD federation services
Hello all,
We've been trying to use ADFS to federate with service providers for
Internet based services. However we are finding that out of the 2
competing protocols (WS-Federation and SAML), Microsoft has chosen to
implement just the WS-Federation protocol in ADFS. Quite a few of our
vendors have implemented the SAML protocol and will not budge from it. I
was wondering if some company has developed an add-on to ADFS that will
enable it to speak the SAML protocol as well? If not, is there another
product out there that plays nicely with AD, but supports both - SAML
and WS-Federation?
Thanks,
-Ravi
--
This message and any attachments are confidential, proprietary, and may be
privileged. If this message was misdirected, Barclays Global Investors
(BGI) does not waive any confidentiality or privilege. If you are not the
intended recipient, please notify us immediately and destroy the message
without disclosing its contents to anyone. Any distribution, use or copying
of this e-mail or the information it contains by other than an intended
recipient is unauthorized. The views and opinions expressed in this e-mail
message are the author's own and may not reflect the views and opinions of
BGI, unless the author is authorized by BGI to express such views or
opinions on its behalf. All email sent to or from this address is subject
to electronic storage and review by BGI. Although BGI operates anti-virus
programs, it does not accept responsibility for any damage whatsoever caused
by viruses being passed.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
|
|