Identity Provider initiated Sign-on
Posted on 2014-01-21
I'm implementing ADFS for a third party service which doesn't support Service Provider initiated sign on. The sign-on works fine when is initiated from the IdP (ADFS).
The problem I'm facing is that when doing IdP initiated sign-on we need to expose the list of all third party trusts we have configured on ADFS, and this is not acceptable from a security point of view. Currently the page allows Anonymous authentication. Is there any way of protecting /adfs/ls/IdpInitiatedSignOn.aspx using Windows Authentication, but without impacting any Service Provider initiated sign-on?
A possible solution I thought about is to create a separate ADFS farm, which will only be used only for the particular service I require federation too, and which doesn't support SP initiated SSO.The farm will not be accessible from the internet, so satisfy the security requirement. Is this a viable solution? I could not find anywhere on the internet, anything which states that multiple farms are supported by Microsoft. I know they work (because I've implemented a similar solution), but I don't know if such topology is supported by Microsoft. Any pointer in the right direction?