Solved

Identity Provider initiated Sign-on

Posted on 2014-01-21
13
883 Views
Last Modified: 2015-09-29
Hi all,

I'm implementing ADFS for a third party service which doesn't support Service Provider initiated sign on. The sign-on works fine when is initiated from the IdP (ADFS).

The problem I'm facing is that when doing IdP initiated sign-on we need to expose the list of all third party trusts we have configured on ADFS, and this is not acceptable from a security point of view. Currently the page allows Anonymous authentication. Is there any way of protecting /adfs/ls/IdpInitiatedSignOn.aspx using Windows Authentication, but without impacting any Service Provider initiated sign-on?

A possible solution I thought about is to create a separate ADFS farm, which will only be used only for the particular service I require federation too, and which doesn't support SP initiated SSO.The farm will not be accessible from the internet, so satisfy the security requirement. Is this a viable solution? I could not find anywhere on the internet, anything which states that multiple farms are supported by Microsoft. I know they work (because I've implemented a similar solution), but I don't know if such topology is supported by Microsoft. Any pointer in the right direction?

Thanks
0
Comment
Question by:jimbobrocks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 3
13 Comments
 
LVL 12

Expert Comment

by:piattnd
ID: 39798481
I'm not quite sure what you're asking here.  Can you elaborate a bit more?  Are you saying that by "exposing" you mean showing a dropdown list of the relying party trust name?

I actually created a piece of code that allowed you to hide relying party trusts from the drop down so the user couldn't select them from the list.  We did this so development could put in as many relying parties they wanted to without having to junk up the list.

Is that what you're looking for?
0
 

Author Comment

by:jimbobrocks
ID: 39799399
Hi Piattnd,

Yes by exposing I mean showing the relying party trust name. We already have the page customised to hide the the relying party trust, but if we need to support IdP supported sign-on, I assume the end user requires a view which shows all the parties they can use for sign-on.

So my question is, instead of hiding the list, is it possible to protect it via a form of Authentication (Windows or From authentication), so that the user needs to prove his identity before accessing the list of parties.

Let me know if you need any additional info.
0
 
LVL 12

Expert Comment

by:piattnd
ID: 39800560
Here's the solution we had setup at my previous place:

Any relying party we did NOT want to appear for user selection in the drop down list at the ADFS IDP selection screen, we appended "--" to the front of the relying party display name.  We had code on the IDP selection screen that would go through each relying party trust and only add them to the dropdown IF they did not contain "--".  We did not hide the dropdown, as we needed users to be able to initiate IDP sign in to certain locations.

I do not have access to the environment anymore to test changing the authentication on that particular page, but my guess is something will not function properly (or at least not satisfactory).

You are correct that the user will need to have access to the relying party entry in order to launch the application from the ADFS website.

Example of what we had setup:

ADFS Configuration page shows the following relying party trusts (display names):
Website1
--devWebsite2
--devWebsite3
--Website4
Website5

The IDP signon website for ADFS shows a dropdown with the following relying party trusts available for selection:
Website1
Website5

Does that sound like the solution you're looking for?
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 12

Expert Comment

by:piattnd
ID: 39800569
On a side note, you are indicating that you want the user to "prove their identity" before they get to the relying party screen:

If you are accessing everything internally, there is already authentication taking place.  If you want to change this authentication type, you can create a login form and enable form based authentication, but it will be quite a bit of code to ensure they cannot access any other section of the ADFS website before they authenticate.

In our environment, we wanted our users to NOT be asked for another set of credentials, because they were already logged in, so we told IE to use the current set of credentials when authenticating.  Authentication is still taking place, but it's not something the user can see.  It has it's own security flaws, sure, but that was something the company was OK dealing with.
0
 

Author Comment

by:jimbobrocks
ID: 39802354
Hi Piattnd,

Thanks for your replies. Can you point me out in the direction where I can find the code? I think your solution is the correct one, but I don't know how it can be implemented in the code.

Cheers
0
 
LVL 12

Expert Comment

by:piattnd
ID: 39805155
I'll see if I can find the specific area we changed and get back to you.
0
 
LVL 12

Expert Comment

by:piattnd
ID: 39812187
I haven't forgotten about this, still waiting for a response from a previous client/friend with the code example I did for them.
0
 

Author Comment

by:jimbobrocks
ID: 39828475
Thanks

Piattnd! Let me know if you can get the code, or at least give me some directions.
0
 
LVL 12

Expert Comment

by:piattnd
ID: 39829750
I'm working on getting the code file, but I'm pretty sure it's all done in the idpinitiatedsignon.aspx file.  The guy is supposed to send it to me this morning.  Basically, the IDPInitiatedSignOn.aspx file is the page that you see with the drop down list of your relying party trusts.  When you open that file in visual studio express web (2010 preferred), you will see the .CS (code behind) file that handles the actions for the page.

When you did your install for ADFS, did you opt for the SQL database or did you go with the windows internal database?  This particular customer was running with the windows internal, but the concept is in the CS file, you connect to the database and query the list of relying party trusts you've established.  I believe there are 2 values you can retrieve, one being the name of the relying party trust.  That is the value you want to look at and apply your logic for which relying parties you do not want to display to end users.  In my customer's case, we appended "--" to the display name, so anything that started with "--" would not be displayed.  I do recall that we ran into some issues implementing this same code from the front end ADFS server, but that page was only used for SSO requests originating outside our network (meaning the customer was at home trying to use a work resource without VPN).

I should be getting this file today, so hopefully I'll be able to post the entire example of filtering out the relying parties.  Sorry it's taking so long!
0
 
LVL 12

Accepted Solution

by:
piattnd earned 500 total points
ID: 39830035
** IMPORTANT **  Backup your original site files in case you need to reverse your changes.

In the ASPX file, you have the following bit of code, which is the drop down for the relying party list:

<asp:DropDownList ID="RelyingPartyDropDownList" DataTextField="Name" DataValueField="Id" Visible="False" runat="server"/>

Open in new window


In the .CS file, I added the following to the "Page_Init" method:

    protected void Page_Init( object sender, EventArgs e )
    {
        PopulateConditionalVisibilityControls();

        int i = 0;
        foreach (System.Data.DataRow row in RelyingParties.Rows)
        {
            string rpFriendlyName = RelyingParties.Rows[i]["Name"].ToString();
            string rpURL = RelyingParties.Rows[i]["ID"].ToString();
            if (rpFriendlyName.Contains("--"))
            {
                //do not add to dropdown
            }
            else
            {
                RelyingPartyDropDownList.Items.Insert(0, new ListItem(rpFriendlyName, rpURL));
            }
            i++;
        }

        UpdateText();
    }

Open in new window


The code checks for the presence of "--", but you can change this to whatever characters you want to check for.  If you have more than 1 ADFS server, you'll want to make sure you update the ASPX and CS files on each server so they use the same logic.

Let me know if you have any questions.  And please, back up those files prior to changes :)
0
 
LVL 12

Expert Comment

by:piattnd
ID: 39830056
Also, changes to the ASPX and CS file will NOT impact the ability for ADFS to process SSO requests, though the website portion will be down so users would not be able to go to the ADFS page and initiate an IDP sign on.
0
 
LVL 12

Expert Comment

by:piattnd
ID: 39913432
Were you able to implement or test this?
0
 

Expert Comment

by:netjammer
ID: 41016217
Hi piattnd,

Was the code edit solution you implemented performed on ADFS 2.0 or 3.0?

Thanks,
netjammer
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question