I am developing a Portal Style application(using asp.net/mvc) which will have links to other applications. I am thinking of using ADFS and a backing AD for authentication. I want to enable single sign on for the portal and these individual applications. These individual applications (some and Java and one in ruby) will trust ADFS and can receive SAML tokens for authentication.
The users would have to login to this portal application, the links to the other applications in the portal would work seamlessly since the user has already logged into the portal. In essence my portal is the Identity Provider. Is this sc开发者_JAVA技巧enario possible with ADFS?
Yes, this is possible. However, the terminology in your question is not completely correct: your portal application won't be the identity provider, but AD FS.
What would happen is the following:
- User browses to portal application.
- The portal application redirects to AD FS.
- User authenticates to AD FS, either silently or interactively, using Forms or NTLM or something else, against AD. AD FS is the IP/STS, i.e., the identity provider. This action is the single sign-on. In response AD FS sends back an 'AD FS cookie' to the browser.
- AD FS also redirects back to the portal application with a security token.
- The portal application sends its home page to the browser, together with a 'portal cookie'. As part of this home page it sends the 'home page' of application X to the browser.
Now history mostly repeats itself, point for point:
- The browser retrieves the application X home page.
- Application X redirects to AD FS.
- The browser sends the 'AD FS cookie' to AD FS, which proves the user's identity to AD FS. No sign-on occurs at this point.
- AD FS redirects back to application X with a new security token.
- Application X sends its 'home page' to the browser, together with an 'app X cookie'.
When a return visit is made to the portal application, or to application X, then the browser sends the 'portal cookie', or the 'app X cookie'. The application recognizes the cookie, and does not redirect the browser to AD FS anymore. So the conversations with AD FS only happen on application start-up, one for each application.
精彩评论