I've possible got to implement SAML for a couple of sites we have and I was wondering if this kind of requirement can be implemented in infrastructure technologies like Active Directory or do I have to implement the solution in application code?
Cheers
Ollie
I think ADFS supports this so you shouldn't have to write any code. Just do some configuration tweaking.
AD FS implements the standards based WS-Federation protocol and Security Assertion Markup Language (SAML). http://msdn.microsoft.com/en-us/library/bb897402.aspx
However, you might need to tweak some code based on how the domains and usernames are handled. For example, if the app just uses the username as a key and there's another guy in a different domain/directory with the same username then you'll have problems. If they use domain/username, then it would be less of a problem, but you might still have collisions based on how the user authentication and lookups are handled.
There are some commerical products provided by Ping Identity and RSA (EMC) that do some of the SAML work for you, too.
Note that I'm a dev and not a AD/networking guy (so I could be wrong about AD stuff), but I'll be working with this in the near future to integrate some of my intranet sites to our various sibling companies/divisions who are on different networks/directories.
Just to clarify, ADFS leverages the SAML token but is NOT interoperable with the SAML protocol. Since you need to support SAML for your websites, then you'd need to implement the same SAML protocol as your SSO partners will be using - either 2.0, 1.1 or 1.0.
We have a lot of info about SAML in the information library portion of our website: http://www.pingidentity.com/information-library/index.cfm
Of course, we also offer an simple and secure solution for these requiremetns - PingFederate.