Hi,
We have a problem: We have a number of claims aware applications. We now have to include a SAML federation to an outside Identity Provider ('X') with ADFS in the role of Service Provider so that users from that IdP can use our applications as well as users from our internal AD (already sorted). OK so far - should be out of the box. But no, the external Identity Provider must have knowledge of the "application" that is using it so that it switch presentations for the user login interactions. It does this by forcing the SP Entity to include an "AppID". Those that are aware that any given ADFS instance can only have a single SP entity - which means we are forced down the path of a separate instance per one of our online applications. btw, we have no control over the external Identity Provider and we are mandated to use them.
So we thought about putting a "chained federation broker" (CFB) in between ADFS and the external Identity Provider with the purpose of it handling the multiple SP entity.
So if we think in terms of chained federation trusts then it would look like this:
ADFS --> CFB --> 'X'
N.B. the arrows represent federation trust and point to the identity provider.
However, like all cunning plans, it appears to have a problem - when the federation is SP initiated, how to pass through the application context (AppID = "my application") to CFB via ADFS when ADFS is simply a SP role and CFB is presenting a IP role to ADFS? without having to resort to an ADFS instance per application (which is the original problem)?
David.
