Thursday, January 07, 2016

ADFS : Support for SAML Scoping

With WS-Fed, the whr parameter allows you to specify the home realm and hence avoid the Home Realm Discovery screen.

What is the SAML equivalent?

There is relayState but relayState means two things:
  • IDPInitiated - similar to whr
  • SPIntitiated - used for context (similar to WS-Fed wtcx).
So for SPIntitiated, you're out of luck.

SAML also provides the Scoping parameter which performs a similar function.

An AuthnRequest using Scoping would look like e.g.

<samlp:AuthnRequest ID="_2528098e-4326-4fe2-83fd-72544c485420"
                    Version="2.0"
                    IssueInstant="2015-12-17T22:01:04.779Z"
                    Destination="https://xxx/adfs/ls"
                    ForceAuthn="false"
                    IsPassive="false"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    AssertionConsumerServiceURL="https://xxx/SAML/AssertionConsumerService.aspx?binding=urn%3aoasis%3anames%3atc%3aSAML%3a2.0%3abindings%3aHTTP-POST"
                    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://xxx/</saml:Issuer>
    <samlp:NameIDPolicy AllowCreate="true" />
    <samlp:Scoping ProxyCount="10">
        <samlp:IDPList>
            <samlp:IDPEntry ProviderID="https://blah.company.corp" />
        </samlp:IDPList>
    </samlp:Scoping>
</samlp:AuthnRequest>


Unfortunately, ADFS doesn't support this in v2.0 / v 2.1 / v3.0.

Hopefully, it will in v4.0.

Enjoy!

No comments: