2

Let's say I have 200+ sites in the form of:

https://site1.example.com, https://site2.example.com

I have to deploy an identical SAML configuration for all of these sites. Ideally I would just have a single relying party trust set up in ADFS that would match all of these sites. Each of those sites will have a response endpoint of https://siteX.example.com/saml, this is also specified in the SAML request from each SP.

I was looking for a way to set up the relying party trust with a wildcard for what is accepted, but this does not seem possible, from what I can tell.

Now I am wondering if there is another solution, along the lines of a scripting, or cloning in mass. I also need to be able to grow this over time, preferably in an automated way.

Dylan
  • 156
  • 4
  • 1
    With the Powershell cmdlet add-adfsrelyingpartytrust I think it should not be difficult to create the relying party trusts for these 200+ sites automatically in the script way. Here's the docs for your reference:https://technet.microsoft.com/en-us/itpro/powershell/windows/adfs/add-adfsrelyingpartytrust – Jimmy Sun Mar 23 '17 at 11:23
  • Thanks for pointing me in that direction. It frustrates me that I can't figure out how to do this with one relying trust party. I found a single page on microsoft's site that says this is possible, but the article is incomplete and doesn't explain how to do it with SAML 2.0 https://social.technet.microsoft.com/wiki/contents/articles/2305.ad-fs-2-0-how-to-utilize-a-single-relying-party-trust-for-multiple-web-applications-that-share-the-same-identifier.aspx – Dylan Mar 23 '17 at 17:23
  • Yes I believe it is possible doing this with single relying party trust. However like the article shown it needs some coding in your SP side, so that when user types the site URL in his/her browser, he/she will be redirected to the corresponding site endpoint and then be redirected to the IDP page when he/she enters the username. – Jimmy Sun Mar 24 '17 at 04:23

0 Answers0