Can WS02 IS offer ADFS compatible IDP for federation of 3rd party apps requiring ADFS - without actually using active directory or active directory tools?
WS02 is an IDP. ADFS is an IDP. By ADFS compatible, you mean that it supports the same protocols ADFS supports i.e.
WS-Fed
SAML
OpenID Connect
It can so in that sense it's ADFS compatible.
Is there a specific ADFS function that you require?
Related
I need to implement SSO with openid connect in WSO2 IS 5.3.0.
All documentation, articles dealing with SSO are referred to SAML.
I have read in the "Thirty Solution Patterns with the WSO2 Identity Server" that the solution is "In each service provider, configure WSO2 Identity Server as a trusted identity provider".
How can I do that?
Can someone help me with my understanding?
So i understand how one can use ADFS and SAML to provide SSO access to the Console via IAM. However im not as clear how this can be done at the application level
So take MS Dynamics as an example. It will be on an EC2 instance which is on a domain controller hosted in the VPC (for mgt etc). However the users themselves will be in an on-prem AD server and we'd want to authenticate users accessing the dynamics web front end with that on-prem AD server. Is this as simple as setting up ADFS between the two sites and configuring the app itself to use ADFS / SAML for claims based authentication?
For application level support, it depends on the ability of the app to support claims based/SAML authentication. CRM supports ADFS configuration. You have one of 2 choices
You can hook it up directly to your on-premises ADFS if it is really about just providing access to your corporate employees. If it requires partner access that ADFS can still federate to other ADFS/IDP organizations.
You can set one up in AWS next to or on the DC that it has and treat it as a Federation Provider and then set up trust to the corporate ADFS where the users live.
I'd recommend #1 as it is simpler. Go with #2 only if you are operating this as a different company or you are building multiple server apps in this AWS site that require local ADFS for things like server to server communication.
Thanks
//Sam
Could you please clarify if there is a chance to interconnect a WSO2 Identity Server with an existing corporate IdP using the SAML as federated connection mechanism. What exactly needs to be configured to unify the realm and proxy the authentication with the external IDP?
Thanks in advance for your support.
If you use WSO2 IS as a proxy or a federation bus, then you need to register your IDP and Service provider in WSO2 IS and in your IDP you should register WSO2 IS as a service provider.
If you use WSO2 IS as your service provider, you need to register your existing IDP in WSO2 IS as IDP and WSO2 as service provider in you IDP side.
You can follow this document for more information.
Thanks!
How easy or difficult it is for a SAML Identity Provider to work with a WS-Federation Service Provider? Are there tools that will allow a SAML IDp to work with any Service Provider despite the technology used?
Which side will have the most effort?
Thank you!
If each IDP only supports that protocol, then no.
Most IDP e.g. ADFS support both so can act as a bridge.
Update:
ADFS sits in the middle as a broker. It can talk SAML to SAML sites and WS-Fed to WS-Fed sites.
So you now have three STS: SAML, WS-Fed and ADFS. ADFS essentially translates between the two.
The only "tools" that are available are the stacks for SAML and WS-Fed e.g.
WIF for WS-Fed
SAML : SAML connectivity / toolkit
Can I configure WSO2 Identity Server 4.6.0 as an IDP for my own SAML applications and, at the same time, configure IS as a SAML service provider to an external IDP?
I would like to achieve the following:
user access my own SAML SP, which sends an AuthnRequest to my local WSO2 IDP, which in turn forwards the user to the external IDP for authentication. And after authentication with the external IDP returns to my own SAML SP application.
The scenario seems only possible with WSO2 IS 5.0.0 and the new "identity bus" feature.