stackoom
  简体   繁体   中英

AD FS 2.0 with PingIdentity / AppFabric Labs ACS

 原文  2011-04-06 10:23:15       c#/ .net/ asp.net/ wif/ pingfederate

Question

Could be a simple question, I'm just looking really for someone that has implemented this. I've got AppFabric Labs v2 currently working with an AD FS 2.0 server with Active Directory, that's all fine and then this links to AppFabric, and routes round to my .NET app (relying party).

My question is simple - how do I get PingIdentity to work with AppFabric and come up as an STS provider? I've tried importing the .XML meta data from the PingIdentity admin system with no joy.

Is the common route for people to attach their AD FS 2.0 server to AppFabric and then attach PingIdentity to their AD FS 2.0 server as a claims provider?

2 answers

solution1
 1 ACCPTED  2011-04-06 15:10:22

What happened when you imported the metadata into ACS? Can you provide more details of what's not working?

Regarding:

Is the common route for people to attach their AD FS 2.0 server to AppFabric and then attach PingIdentity to their AD FS 2.0 server as a claims provider?

Either way could work. ACS is still "labs" so not many production systems have gone live, so in terms of actual cases, you will find more ADFS<->Ping. But, again, either would work and this is one of those "it depends". I'm assuming your PingIdentity STS is an "Identity Provider" (meaning that it authenticates users), so in general it would be the last STS in the chain.

Some questions you need to ask yourself for making a decision:

  • How much would you need to transform the claims issued by Ping? How powerful of a claims transformation capability do you need? (ADFS has more powerful claims transformation capabilities than ACS)
  • What protocols does Ping STS enable? (WS-Fed? SAMLP?: ADFS supports SAMLP, ACS not yet)
  • Who owns this STS (you, a partner?) How much control you have on each?
  • Which is the platform you are more comfortable managing? which one would you like to "leave alone" as much as possible?

Also, you marked this question as "answered" but it seems related to this one.

solution2
 1  2011-04-06 16:25:11

PingFed supports WS-Federation for Passive Requester Profile (as well as SAML 1.0/1.1 and 2.0) OOTB as well as SAML 1.1 and 2.0 for Active Profile use cases (both as IDP and SP for Active and Passive). I believe ACS does not support SAML 2.0 for PRP but it does support WS-Federation. I think ACS does support SAML 2.0 tokens for Active Requester Profile only.

It shouldn't be that hard to swap out an IDP Endpoint in ACS but I've never looked at how that is accomplished.

HTH -- Ian

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Windows AppFabric ACS with AD FS 2.0, help using the AcmBrowser.exe Windows Azure ACS with PingIdentity STS PingIdentity Federation meta data export for ACS - not exporting with a Digital Signature? How to pass though claims with AD FS 2019 + MSAL, using OAuth 2.0 client credentials grant type AD FS and forms Authentication Returning AD group membership from ACS AD FS refresh token before IdpInitiatedLogin SSO Configure WIF for AD FS with forms authentication .net core console authenticate to AWS Cognito onpremise AD FS SAML AD FS custom authentication provider did not return an authentication method claim
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM