寻找 LDAP (v3) 到 SAML 消息转换器或桥

Question

I have an authentication/authorization server that currently uses a local ADAM instance to hold the authentication and authorization information for use by a Service Provider (SP).

What I want to do is change from the ADAM instance to a remote ADFS for authentication and authorization. The remote ADFS talks SAML but the Service Provider (SP) only talks with LDAP (and I cannot change the SP to talk SAML).

This suggests that I need to provide a LDAP to SAML converter (or bridge) to produce SAML messages from the SP's incoming LDAP authentication and authorization requests.

Currently it's like this:

          LDAP
  SP <------------> Authentication Server

I want it to look like this:

          LDAP                                                   SAML
  SP <------------> Authentication Server w/LDAP/SAML bridge <------------> ADFS

So essentially the current authentication server will cease to authenticate itself and will merely act as a "proxy" for passing on authentication/authorization requests and relaying responses back to the SP.

Is this possible? Does anyone have experience with this sort of effort? Are there any tools on the Net that could perform this bridge functionality?

The current authentication/authorization server runs on gasp Windows 2003 but I do have the option of porting it to a newer version of Windows Server.

I have tried using OneLogin with the SAML toolkit/Flask websever, and writing my own Python module for handling the SP's requests but I'm getting bogged down with that code (and exposing my own Python limitations)

I also tried SimpleSAMLphp but determined that the LDAP stuff they support is for the IDP side rather than the SP side. The system performs SP-side initiatation.

Answer 1

Have you considered using ADFS to LDAP directly?

Your application would then use ADAL / MSAL to connect.