can ADFS idP send "user not found" to SP? - adfs3.0

My customers land on my ADFS IDP-initiated login page. They get authenticated and redirected to SP. Everything looks nice. But I have a few extra users that are not part of idP database (AD domain). I would like to authenticate them locally in my SP but they are never redirected there. They get stuck in ADFS with "wrong username/password".
Is it possible to send SAML message with some "user not found" message to SP ?
I'm using ADFS 3.0
Thank you very much for all ideas and suggestions.

No - that's not the way most IDP work.
You can't leave the login page until you are authenticated.
What you can do is add another IDP for your other users e.g. Identity Server 3 and then federate it with ADFS.

Related

SAML SSO Unsure how a user gets to the protected SP page for IDP initiated SAML

I currently maintain an in-house SAML IDP written utilising LightSaml. This has served the company well for the last 2 years working with SP initiated SSO. I have recently been tasked with implementing IDP initiated SSO and I'm not able to work out how the user is automatically redirected to the desired protected page once they're authenticated.
In SP initiated SSO, the user starts at the page they want, therefore the SP knows where they want to end up after being authenticated. So in this case, the SP handles the final redirection.
In IDP initiated SSO, the SP doesn't actually know what protected page the user wants, so could someone explain what happens after the IDP sends the auth response to the SP?
Thanks in advance.
In IdP-initiated SSO, along with the SAML response, the IdP can send relay state. This relay state is the URL the SP should redirect to once SSO completes. If no relay state is sent, the SP will most likely redirect to some default page.
A typical scenario is that the IdP has a portal page with one or more links representing different pages at the SP. If the user clicks link #1, the IdP initiates SSO to the SP and sets the relay state to the page #1 URL. If the user clicks link #2, the IdP initiates SSO to the SP and sets the relay state to the page #2 URL.

ADFS as a SAML Service Provider interacting with other Relying Parties

I have a web application that is capable of being a SAML 2.0 IdP as well as a SP, and have successfully implemented SSO between my platform and ADFS, but only when ADFS is the IdP.
This is my first foray into integrating with my platform, using ADFS as a SP and I'm having problems understanding the SSO flow.
In my situation, I have three players: WebApp (IdP), ADFS (SP), RelyingParty (S). The trusts are set up in ADFS, and the user experience is supposed to be a successful login to the RelyingParty having logged in to the WebApp
Setting up a new Claims Provider Trust in ADFS with my web app appear to work perfectly. I can go to my app's IdP-initiated URL which sends an unsolicited SAML message to ADFS's ACS URL. When I do this, I get redirected to /idpinitiatedsignon with the message "You are signed in" and a drop-down of the relying parties I've already set up.
If I click on the login button for the RP, ADFS generates a new AuthNRequest to my web app before eventually getting to the Relying Party.
So, seeing this behaviour, I have two questions:
I would have thought that the initial sign in to ADFS via my IdP-initiated login would have got me though to my RP without the need for going back to the IdP for another sign-in. have I misunderstood, or have I just misconfigured ADFS?
What mechanism is ADFS determining that my IdP is to be used? If I go to the ADFS /adfs/ls/idpinitiatedsignon.aspx page in a browser, I've not involved my IdP at all, and selecting my RP does use my IdP to authorize the user but I've no idea how this is determined since there's no link between the Trust Claims Provider and the Relying Party in ADFS configuration.
What happens if you use loginToRp:
https://your-adfs-server/adfs/ls/IdpInitiated.aspx?loginToRp=your:relying:party:id
You have chosen to use IDP Initiated to ADFS. So ADFS handles the authentication.
If you want to involve your IDP, you need to use SP-Initiated flow from the RelyingParty (S).
Then ADFS will show you the Home Realm Discovery screen and you can pick your IDP.

Single Sign On: SimpleSAMLPhp Service Provider Implementatio

I am implementing a SSO using SimpleSAMLPhp Service Provider.
I provided my metadata to remote Shibboleth Identity Provider and was provided a test account.
When a user visits a specific page on my SP, they get redirected to the IdP, login, and are redirected back to my web site with a bunch of IdP provided attributes. This part works.
This part I am struggling with.
If the user authenticates with the same IdP through a different Service Provider and then visits my page, how do I know they are already authenticated? Currently I am being asked to login again.
Is there a configuration value somewhere that lets me do this? Or am I using the wrong method? This is what I am doing.
$as = new SimpleSAML_Auth_Simple({REMOTE_AUTHSOURCE});
$as->requireAuth(); // this redirects to remote IdP login
$attributes = $as->getAttributes();
Thanks.
There are two separate authentication sessions to consider. One session is in you app and the other is at the IdP. The requireAuth method can tell if the user already has an authenticated session in your application, and will return immediately in that case.
There is no way for you to tell if a browser has a session at the IdP. You just call requireAuth whichs send the user there and if the IdP decides the user's session is still valid it will respond without prompting for login.
Are you saying that the user has a valid session at the IdP and they are being re-prompted to authenticate when you send the user there? That could be due to IdP policy, or if your app was sending something like 'forceAuth' in its AuthnRequest.

Token not clearing properly while single sign out in Kentor

We are implementing SSO with kentor using HTTP module. Our SP is ADFS.
In the ADFS we configured "Transform an Incoming claim" with Incoming claim type as "E-mail Address", OutgoingClaimType as NameID and OutGoing NameId format as "Email". When we logout from the application using("~/AuthServices/Logout?ReturnUrl=~/?Status=LoggedOut") it is redirecting to ADFS Signout page(https://win-3obaenpbsol.dc10.inapp.com/adfs/ls/?wa=wsignout1.0).
and when we try load our application again, It redirect into the application with out asking the login. So the expected result is once we logout it should ask the login again how can we handle this?
Thanks,
Raj
.

ADFS signout returns 404

We have a federation where ADFS3 is our main sign on mechanism with Identityserver as a relying party which is handling our Oauth. So when a user logs in we are redirected via the idserver to ADFS where they login, then we are redirected back and the user now has an oauth token issued by identityserver.
We are having issues with logoff when it is initiated by ADFS. Using fiddler I can see ADFS is redirecting to https://idserver/?wa=wsignoutcleanup1.0 but this is returning a 404.
Is this the right URL its calling?
Have we missed something when creating the idserver?
I don't have a callbackpath configured so assume it should pick this up?
Thanks
The problem is that the Katana Ws-Fed middleware from Microsoft doesn't support signout. You will have to implement this yourself -- middleware seems like an obvious approach.