Comments on: Modifying the AD FS 2.0 Passive Federation Endpoint

By: Garrett

Garrett — Tue, 12 Jan 2010 14:50:22 +0000

Well, I stand corrected. Travis, you were correct that there are PowerShell Cmdlets to perform AD FS 2.0 administration:

http://technet.microsoft.com/en-us/library/ee126138(WS.10).aspx

Looks like you can do the same endpoint configuration using PowerShell.

By: Travis Spencer

Travis Spencer — Thu, 31 Dec 2009 15:21:35 +0000

Ah yes, the metadata. Now, I see the problem and why this sort of thing is necessary. I’ve been configuring all my RPs by hand, so I didn’t think of that.

By: Garrett

Garrett — Wed, 30 Dec 2009 23:04:11 +0000

@Travis Spencer
Thanks for the feedback, Travis. All good thoughts.

1. We had originally done just as you said — pointed the IIS virtual directory to the custom application. This was with Beta 2 when the site was found under /FederationPassive. With the RC and the new /adfs/ls folder structure, it seemed a little messier to change a sub-folder so that’s when I started looking for a way to change the AD FS configuration. In the end, it may be a little more work, but it seems cleaner to me.

2. I hadn’t looked to see if there were any PowerShell methods, but if somebody finds one, that would be excellent.

3. If I’m following you correctly, I understand that the STS URI is fairly arbitrary from the RP standpoint. However, the Metadata “endpoint” in AD FS points the RP to /adfs/ls. Therefore, if you use FedUtil to setup the trust between your RP and AD FS, you will get the /adfs/ls address. This can be changed in the web.config manually, but that’s just another step for every RP app.

As far as using the out of the box login app as a starting point, that’s exactly what we did. I certainly like what Microsoft’s done with the Microsoft.IdentityServer library in the RC. It does make it fairly simple to roll your own AD FS sign-on pages. We’ve even gone as far as supporting OpenID and Facebook Connect in the login process.

By: Travis Spencer

Travis Spencer — Wed, 30 Dec 2009 22:31:03 +0000

Good post, Garrett. I have a couple questions though:

* Why not simply change /adfs/ls in IIS to point to your custom login app and change it back as needed? That sounds just as easy (if not easier) than running the SQL script against WID. Is it because of audience restrictions and other policy that ADFS will apply to incoming RSTs?

* Was there anything in the PowerShell API that would have allowed you to change this endpoint? A cursory look seems like no.

* The RPs are configured to point to an issuer w/ an arbitrary URI — anything not necessarily …/adfs/ls. So, whatever Web app that refers to is the passive STS that that RP will redirect subjects to. Why not use the API exposed by Microsoft.IdentityServer and the login app shipped w/ ADFS as a starting point/reference to build what you need? (This is what I’ve done.)