Implementing Single Sign on using ADFS
Question
I am new to ADFS/SSO world and currently working on feature to implement Single Sign On (SSO) using AD FS for our Java based web application and Windows native agent.
Below are our requirement :
- Users should be logged in automatically(Without asking for username/password) to our windows agent if they have logged into their system using their domain credentials.
- The solution should work even if they are outside the corporate network
I have been reading on Internet but things are still confusing. I have following questions :
- Will kerberos based authentication suits my requirement?
- Can It be integrated with AD FS? So that the solution will work even if the user is not in corporate network?
- Or are there any other solutions? Our Product is Java based and uses Spring framework.
Thanks in Advance, Praveen
3 answers
solution1
3 2016-08-16 19:36:11
Users should be logged in automatically
This will work if the browser is correctly configured for IWA
The solution should work even if they are outside the corporate network
No - Kerberos won't work so you have to use FBA
Can It be integrated with AD FS? So that the solution will work even if the user is not in corporate network?
Yes - you need to install ADFS WAP as well. Use split DNS. Internal users direct to ADFS == IWA. External users direct to WAP = FBA.
Our Product is Java based and uses Spring framework
Use Spring SAML
For desktop, you have a problem. SAML relies on browser redirects so you need an embedded browser or something. You could use OpenID Connect / OAuth (REST API) but you have tagged the question with ADFS 2.0 which has no such support.
In the Windows world (WPF, console via C# etc.), desktop connects to ADFS via WCF.
solution2
2 2016-08-16 23:24:45
Actually, in ADFS 2016, with Windows 10 domain joined devices, they can also be Azure AD registered. With device write back of this, there is a SSO artifact from ADFS that is integrated into Windows 10 desktop login. In this world, you will also get desktop SSO from the extranet.
solution3
1 2016-08-17 07:38:52
For your Java app, you should use spring-webmvc-pac4j for Spring MVC or j2e-pac4j with only J2E filters (or at worst: spring-security-pac4j with Spring Security) + pac4j-saml for ADFS + pac4j-oauth if want to use the OAuth protocol + pac4j-oidc if you want to use the OpenID Connect protocol.
Using pac4j will be much easier and consistent to support multiple protocols.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.