...
- Add ADFS metadata to the Shibboleth IdP: https://adfs.example.com/FederationMetadata/2007-06/FederationMetadata.xml
- (IdPv2 Only) Add http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password as an authentication method in handler.xml
- Add an allow rule to attribute-filter.xml to release some sort of username identifier. In this example, uid is used (urn:oid:0.9.2342.19200300.100.1.1)
- Add your shibboleth IdP as a Claim Provider to ADFS with powershell
...
- (OPTIONAL) When landing on the ADFS, the user will be presented with options to authenticate with either AD or Shibboleth - only one of the below needed.
- Cookie Enforcement
- To automatically select Shibboleth over AD, we insert (or overwrite) a cookie into the incoming HTTP request with a Base64 value of the EntityID for the Shibboleth IdP
- This is achieved in a load balancer or proxy performing man-in-the-middle for SSL.
- That is, it decrypts the request, performs the manipulation, re-encrypt for the backend
- There are many types of load balancer/proxy - this article will not go into any of their configuration - please use google with terms like "ssl offloading" and "set header/cookie" with the name of your load balancer/proxy.
- Key: "MSISIPSelectionPersistent"
- Value: "aHR0cHM6Ly9pZHAuZXhhbXBsZS5jb20vaWRwL3NoaWJib2xldGg=" (e.g. echo -n https://idp.example.com/idp/shibboleth | base64 )
- There has recently been a bug with some mobile apps sending a query string that ADFS gets confused with Shibboleth's answer
- if present in HTTP query: "wauth=http://schemas.microsoft.com/ws/", then set ADFS as login provider
- Key: "MSISIPSelectionPersistent"
- Value: "aHR0cHM6Ly9hZGZzLmV4YW1wbGUuY29tL2FkZnMvc2VydmljZXMvdHJ1c3Q=" (e.g. echo -n https://adfs.example.com/adfs/services/trust | base64 )
- To automatically select Shibboleth over AD, we insert (or overwrite) a cookie into the incoming HTTP request with a Base64 value of the EntityID for the Shibboleth IdP
- Per Relying-Party enforcement
- You can specify which Claim Provider a Relying Party must use (if nothing is set, that is when the user is asked to select from the full list of providers)
- Cookie Enforcement
...