I'm configuring an ADFS Server and are trying to achieve user-friendly sign-on for our relying party applications.
Currently there are two relevant options as far as I know:
My question here is, is it possible to satsify these requirements:
Generically speaking, there is no programatic way of detecting if the user is on the domain or not from a website. Because the moment your site is configured with Windows Auth (and disable Anonymous), an ntlm challenge is sent to the browser and the credentials prompt popup if you are not in the domain.
The way you achieve that is with DNS and that's what ADFS recommends by introducing the proxy role. You will have the internal DNS resolving login.yourcompany.com
to the internal ADFS which has windows auth enabled and the external DNS resolving login.yourcompany.com
to the proxy ADFS role which has forms auth enabled. So you need another server hosted on the DMZ so users outside the network/domain can reach it.
There is no way to do this with a single ADFS server unless you do some hack (ie not supported) having an artificial website on the same ADFS server bound to the external IP and that website has a redirect to "/adfs/ls/forms"
More info about proxy and its setup http://blogs.technet.com/b/askds/archive/2012/01/05/understanding-the-ad-fs-2-0-proxy.aspx
Matias
您可能会发现它很有趣,可以根据浏览器通知的用户代理字符串进行表单身份验证或集成身份验证: https : //blogs.ncl.ac.uk/isg/?p = 296
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.