I have a 3rd party program that supports web SSO using SAML 1.1 (it is ready to serve as the Service Provider, in other words).
We would like to implement this SSO for our intranet users based on their Active Directory credentials. In other words, they've already logged on to their system, so let's simply use those credentials to facilitate an SSO. I am a little overwhelmed at where to begin, though.
My initial thought is that IIS / Active Directory could easily serve as the Identity Provider since IIS gives us "Integrated Windows Authentication" abilities. I would think we could just create a .NET web app that requires Integrated Authentication which simply extracts the current user ID, builds the SAML response, and re-directs the user back to the Service Provider with this SAML response to complete the SSO.
But then, my problem is that I simply have no real idea of how to go about creating this SAML response, the 开发者_开发知识库X.509 certs involved, etc... I am wondering if I am in over my head on this, or if creating this SAML response should be relatively easy.
Note this SSO is to be used by intranet users only, so no need to worry about federating with other companies / domains.
Another option that you may want to look into is Microsoft's Active Directory Federation Server (ADFS) 2.0.
I wouldn't bother trying to build something SAML compliant. It will take you weeks to use a toolkit and your efforts will probably only handle the one use case. Once you get something custom into place you'll soon realize the rest of your organization needs some type of SAML integration as well (either internal or externally).
The quickest (and IMHO) easiest way (and you'll come out looking like a hero) is to use something like PingFederate from www.pingidentity.com. You can have it up and running in less than a day if you know what you are doing.
Just my $0.02
HTH - Ian
精彩评论