tags:

views:

59

answers:

3
Q: 

SAML Identity Provider based on Active Directory

I have a 3rd party program that supports web SSO using SAML 1.1 (it is ready to serve as the Service Provider, in other words).

We would like to implement this SSO for our intranet users based on their Active Directory credentials. In other words, they've already logged on to their system, so let's simply use those credentials to facilitate an SSO. I am a little overwhelmed at where to begin, though.

My initial thought is that IIS / Active Directory could easily serve as the Identity Provider since IIS gives us "Integrated Windows Authentication" abilities. I would think we could just create a .NET web app that requires Integrated Authentication which simply extracts the current user ID, builds the SAML response, and re-directs the user back to the Service Provider with this SAML response to complete the SSO.

But then, my problem is that I simply have no real idea of how to go about creating this SAML response, the X.509 certs involved, etc... I am wondering if I am in over my head on this, or if creating this SAML response should be relatively easy.

Note this SSO is to be used by intranet users only, so no need to worry about federating with other companies / domains.

A: 

I wouldn't bother trying to build something SAML compliant. It will take you weeks to use a toolkit and your efforts will probably only handle the one use case. Once you get something custom into place you'll soon realize the rest of your organization needs some type of SAML integration as well (either internal or externally).

The quickest (and IMHO) easiest way (and you'll come out looking like a hero) is to use something like PingFederate from www.pingidentity.com. You can have it up and running in less than a day if you know what you are doing.

Just my $0.02

HTH - Ian

Ian  2010-06-16 14:59:07
A: 

Another option that you may want to look into is Microsoft's Active Directory Federation Server (ADFS) 2.0.

Franco Caliente  2010-06-16 19:04:01
A: 

ADFS has too many limitations and constraints. Agree with Ian that you should look at Ping Identity.

Nate  2010-06-17 17:24:50

related questions

SAML 2.0 SSO and ASP.Net
SAML assertion with username/password - what do the messages really look like?
Can you recommend a SAML 2.0 Identity Provider for test?
Anyone using Spring-ws with SAML authentication?
How do I configure WebLogic 10.3 Web App To Use SAML 2 SSO and Identity Provider?
Use gmail domain account with IMAP authentication with SAML authentication not working...
SAML Assertion consumer Service (ACS) - Suggestions on implementation
Convenient applications for Browser/POST and Browser/Artifact SAML profiles
Designing an XACML API
What is SAML?
How to implement SAML SSO
WCF Interop with Axis2 using WS-Trust
Are attributes allowed in a SAML authentication request?
Why is using a certificate, made with the MakeCert tool, in production bad?
Implementing SSO using different versions of SAML
Need info on SAML 2.0
Signing XML with Public Key Example?
Identity provider implementation of opensaml 2.0
Do we absolutely need a STS for SAML?
SAML identity provider as Java servlet filter?
Looking for feedback on a first SAML implementation.
SAML Assertion WriteXML issue in C#
SAML with .NET 2.0
Implementing Claims-Based Security (WCF/Asp.NET)
How do I deserialize a SAML assertion in Rampart/C (Axis2/C)?