IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [adfs]

Active Directory Federation Services (ADFS) is an identity access solution developed by Microsoft.

31 questions
15
votes
4 answers

How do the STS token formats compare to each other SAML vs SWT vs JWT?

I'm configuring an Azure ACS STS and would like to know if there is any impact on security based on the following token formats or how they are used. The answers to this questions should apply to other STSs such as CA Siteminder, Ping Identity,…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
10
votes
3 answers

How to achieve seamless SSO without having the user to login again (SAML 2.0 & ADFS using OpenSSO)

We need to implement seamless SSO with ADFS SAML 2.0 using OpenSSO & we plan to go with IdP initiated GET binding. The user in client network will log in to ADFS with Windows credentials once every morning. Thereon, whenever he accesses our…
user36009
  • 163
  • 1
  • 1
  • 5
8
votes
1 answer

ADFS: Verify requests from relying party

In ADFS, serveral certificates are used. This is explained (very clearly) on this page: http://blogs.technet.com/b/adfs/archive/2007/07/23/adfs-certificates-ssl-token-signing-and-client-authentication-certs.aspx Now, I have configured the…
Michael
  • 5,393
  • 2
  • 32
  • 57
8
votes
1 answer

What are the security concerns with turning off Extended protection for authentication in IIS7 on ADFS?

In setting up SSO for Office 365, in order to make Chrome and Firefox access services on the Intranet, Extended Protection for Authentication must be disabled on the ADFS sever. As the ADFS server is only accessible on the Intranet, and any external…
Matt Bear
  • 181
  • 1
  • 4
5
votes
1 answer

SAML Assertion to Windows Identity (Kerberos token?) transformation

This is the scenario I need to cover: A WebService that trusts on an IdP using Ws-Trust or any thing like that, receives a SAML token to authenticate the user, and we need to call some SQL Server or any kind of service that uses windows integrated…
Matt
  • 51
  • 2
5
votes
3 answers

ADFS 2012 R2 (3.0) JSON web token validation

Our client would like for us to utilize ADFS 2012 R2 (aka 3.0) as the primary means for two security features in internal apps that we are building: The web app (there are two .NET & Angular) and an iOS app will use the OAUTH flow within ADFS Upon…
soglm
  • 51
  • 1
  • 1
  • 3
5
votes
2 answers

How do Azure ACS 2.0 security features compare to ADFS 2.0?

I'm configuring my relying party (a website) to use either ADFS or Azure ACS 2.0. ADFS 2.0 has some interesting features such as Token Replay prevention (in the SQL version) and may have other SAML security features as well (which I may not…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
4
votes
1 answer

How does the "Service Identity" feature of Azure ACS compare (and contrast) to a real IDP?

It appears that the ACS has IDP-style features within the "Service Identities" section. How does the ACS treat these in comparison to a real IDP? What is missing? Some examples I'm thinking of include: Account Lockout, Auditing, Token Replay, etc.…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
3
votes
1 answer

How to properly handle security certificates in asp.net (ws-federation)

So I'm setting up single-signon authentication for the organization I work for. Our IT guy has setup an ADFS server, which is where we're getting our logon credentials from. He's using an in-house security certificate that wasn't originally created…
Scuba Steve
  • 231
  • 1
  • 8
3
votes
1 answer

ADFS 3.0 OAuth2.0 against client applications

ADFS 3.0 does not support the Implicit Grant client flow of Oauth2, nor does it support client secrets. Initial investigations suggest it is not secure to use the Authorize Code Grant flow from a native client application as it exposes the client…
haymansfield
  • 131
  • 5
2
votes
0 answers

Mitigating the risk of disabling EPA on ADFS

I'm currently investigating the deployment of an Active Directory Federation Services (ADFS) server for providing Single Sign-on for various services. By default, ADFS enables support for Extended Protection for Authentication (EPA) to protect…
ralish
  • 21
  • 2
2
votes
1 answer

Is an ADFS "proxy" required in a production, Internet-facing ADFS deployment?

Is it acceptable to simply deploy ADFS, and expose 80/443 to the Internet, opposed to deploying redundant Front End and Back End servers? I understand that I'm missing out on Token Replay Attack prevention, but I also notice that different endpoints…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
2
votes
2 answers

Solutions for accessing webapp from inside and outside the corporate perimeter by same users?

I'm looking for solutions that could best address the following requirements. We plan to develop a webapp and deploy it in the cloud. Corporate users must be able to access the webapp from the enterprise network, where they're already connected to…
Aleph
  • 21
  • 2
2
votes
1 answer

Adfs saml credential provider

Wanted to see if the following is feasible or is there a way out? My situation, computers have internet access always (assumption) I want to write a credential provider with a browser embed and talk to an external saml shib Idp After saml token is…
tech_geek
  • 101
  • 4
2
votes
0 answers

Authenticate with ADFS without Javascript?

I'm trying to allow a search engine that doesn't support javascript to crawl content protected by ADFS. Is there a way to allow clients that don't support javascript to authenticate to an ADFS protected web site? Out of the box, the ADFS login form…
BigMikeW
  • 121
  • 2
1
2 3