Reputation: 155
ADFS multitrust architecture
It is interesting to know whether multitrust is possible in the SSO architecture, for example based on ADFS. I mean the following. Let's say I have ADFS_0 and ADFS_1 (actually I have IdentityServer4 as STS here) with their external Claim(identity) Providers and Service Providers. Is it possible to combine both ADFS servers so that Service Providers remain in trust with their ADFS.
I understand that it is possible for example to make ADFS_0 the main one, and connect ADFS_1 as a Claim Provider to ADFS_0, but in this case all sites and services from ADFS_1 must be reassigned to ADFS_0, but I just don’t want to do this. But in my imaginable case we have two STSs issuing valid tokens for both ADFSs in a single trust...
Any thoutghs thanks
Upvotes: 0
Views: 28
Answers (1)
Reputation: 29316
I would think this through end to end, in terms of identifying users in backend requests. I assume here that you have an OAuth based setup.
- Clients interact with an authorization server and are issued tokens
- The authorization server stores an account record for each user
- Clients call APIs with access tokens that contain a subject claim
- APIs identify users in business terms, to grant access to business resources
Usually both clients and APIs trust a single authorization server. This means APIs receive a single type of access token. They then map the subject claim to business resources. An example is provided in my user data management blog post.
MULTIPLE AUTHORIZATION SERVERS
Only one ADFS should provide the authorization server (AS) role. It is possible that you have this type of setup, which may be fine, eg if the components are from independent organizations:
- Client 1 / API 1 trusts AS 1
- Client 2 / API 2 trusts AS 2
But if you need to integrate users, clients and APIs together within the same organization, this setup is not recommended, since the user data management would become more complex than it needs to.
The authorization server, eg ADFS_0, can integrate with another identity system, eg ADFS_1, that has an identity provider role. In this case though, access tokens are always issued to clients by ADFS_0.
So from a client and API viewpoint there is no multi-trust. Instead they interact with their authorization server, which is their central point of trust. Within an organizational boundary, aim for a future setup where clients and APIs use the same authorization server.
Upvotes: 1
Related Questions
- ADFS do not forward the Logout request to the Identity Provider, if there is an active SAML session
- OpenID Connect over ADFS
- SAML SSO with WAS v 8.5
- Is there a standard for two Relying Parties with a common Identity Provider to share information?
- Can we implement SSO federation in ADFS using multiple relying parties?
- ADFS 2.0 IDP-Initiated SSO