We have an web service hosted on the internet that we are about to configure Single Sign On (SSO) for. People access this web service from inside our corporate network as well as from home (outside our corporate network obviously).
Since the users can access this service from home, in order to provide a type of SSO, the users will have to be redirected to our ADFS proxy servers that we have sitting in our DMZ. It won't be true SSO, as they will be prompted for their username/password (I'm assuming anyhow). These ADFS proxy servers will then connect to the internal ADFS server and the internal ADFS server authenticates the user. A HTTP post is then done from the proxy server to the web service.
Users also access this web service from inside our corporate LAN. In this scenario the user accesses the claims aware web service and is redirected to the internal ADFS server, which authenticates the user. In this scenario, true SSO will happen since the user already has a kerberos token. A HTTP post is then done from the internal ADFS server to the web service.
If I have made any mistakes in the above 2 scenarios, please let me know.
My question is: how does the web service know whether to redirect the user to the internal ADFS server, or to redirect to the proxy ADFS server? Is this a setting that must exist within the web service? Such as being aware of the subnet the user is coming from for instance, and redirecting to the proper ADFS server accordingly. Or does the web service have to setup 2 separate websites for users, one for internal access and one for external?
I'm a little muddy on ADFS proxies in general, as this is our first usage of them. Thanks for any help.