Hi,
I have the following environments(s):
- Users in DomainX - let's call a single user "UserInX"
- ADFS 3.0 (WinServer 2012 R2) using ActiveDirectory for credentials, also in DomainX - call this "AdfsX"
- MVC Website in Domain Y - "WebY"
- ADFS 3.0 (WinServer 2012 R2) in DomainY - "AdfsY"
Essentially, UserInX needs access to WebY.
I'd like to setup a federated claims-based single-sign-on authentication model, using AdfsX to [authenticate UserInXand] pass claims to AdfsY, which should trust AdfsX (pre-defined) and allow UserInX to proceed to WebY.
So, effectively:
1. UserInX hits WebY (without creds)
2. WebY redirects to AdfsY for
authentication-decision
3. AdfsY knows
that this user should be redirected to AdfsX for
authentication and AdfsX presents
a login page (or simply already knows UserInX,
because he/she is logged-into said DomainX)
4. AdfsX redirects
back to AdfsY with valid claims
token
5. AdfsY redirects
UserInX to WebY (who allows access because they trust the claims-token).
6. UserInX gets access to WebY
I have half of this setup working just fine, using *only* WebY and AdfsY, authenticating UserInX against AdfsY's ActiveDirectory (effectively skipping steps #3 and #4), so I'm pretty sure the web.config et al in WebY is all fine (ie setup properly, to send unauthenticated users to AdfsY for login).
But I can't seem to properly configure the parts that tell AdfsY to federate/redirect to AdfsX (ie step #3 (and #4) above).
Searching the interwebs, I found the scenario-based tutorial provided on MSDN, at: http://msdn.microsoft.com/en-us/library/ff359110.aspx
While this scenario is pretty much exactly what I want to replicate, I can't seem to find anywhere that tells me how to physically achieve it. That is, how to set this all up on ADFS 3.0 WinServer 2012 R2. As mentioned, I'm fairly certain WebY shouldn't need any tweaking; it should all be quite straight-forward to setup in AdfsY and AdfsX, no?
Any help would be much appreciated.
Thanks! Tim