IP Based HRD in AD FS Windows Server 2012 R2?
hi,
at moment i'm doing project large financial customer in netherlands plans upgrade ad fs 2.0 farms ad fs windows server 2012 r2 (3.0).
the reason customer needs upgrade because going migrate sharepoint 2007 sharepoint 2013 , last 1 using dynamic url's when create sharepoint app. federate ad fs supported in latest ad fs version.
the customer using ad fs federate web applications based on sharepoint technology , other web applications. customer using multiple idp's (external, government, internal, customers , stakeholder organizations) relying party trusts , not want users have selection screen select correct idp before login. called home realm discovery (hrd).
on current platform have customized web.config , created homerealmdiscovery.asp.cs create temporary domain cookie determines ip address of source client , selects correct idp when connect relying party trust. process triggered determine if user internal client determine if user coming specific external partner organization. in case no users asked select corresponding idp when login application.
in ad fs 3.0 hrd process improved. can enable intranetuselocalclaimsprovider on adfs properties ad fs farm. solves part of problem determination of internal clients. doesn't solve problem determine partner organization based on ip address.
the second part of new hrd improvements (the organizationalaccountsuffix can set on adfsclaimsprovidertrust) aren't of use in scenario because not partner organizations use , never using e-mail address or upn login application.
i thought of doing custom coding in new authentication provider based on microsoft.identityserver.web namespace. don't know if work , how create because namespace poorly documented use ad fs 3.0.
i have found blog post on net similar scenario described solved in sharepoint create redirect. since not using sharepoint , preferably want have hrd logic on ad fs , not on application side doesn't much.
does have ideas how can tackle issue?
ps. i'm considering opening microsoft support case.
thanks
cor
technical consultant exchange | mcp, mcsa, mcse, mcts, mcitp | blog: http://www.reinhard-online.nl | follow me on twitter: correinhard | please, feel free nominate me mvp @ https://mvp.support.microsoft.com/gp/mvpnominate
hi cor,
regarding claims based issue, suggest refer experts following forum professional support:
claims based access platform (cba), code-named geneva forum
http://social.msdn.microsoft.com/forums/vstudio/en-us/home?forum=geneva
if sufficient support forum above cannot provided, opening microsoft support case better option.
best regards,
amy
Windows Server > Directory Services
Comments
Post a Comment