SAML SSO integration with Microsoft ADFS 2.0.

  • Greg
    # 6 years, 11 months ago

    Hi there,

    I found your page for your miniOrange SSO solution. I tried signing up for a free trial using my xyz@abc.com email, but it’s telling me that’s not a valid email.
    Do you have any additional information about the product? We’re specifically interested in using it to provide SAML SSO integration with Microsoft ADFS 2.0.
    Thanks,
    Greg
    Anupriya
    # 6 years, 11 months ago

    Hi Greg,

    Thanks for reaching out to us.

    If you signed up using your details on the Free Trial signup page. You should have received an email with a password on your email address (xyz@abc.com). You can login with your email address and the new password on our login page. Once you login, please proceed to change your email address and other profile details by clicking on the user icon on top-right.

    It is possible to integrate your Firebase application with the miniOrange Single Sign-On Service to facilitate SSO with AD FS 2.0 over SAML. Can you give me more information regarding the Firebase application?

    Thanks,
    Anupriya

    Greg
    # 6 years, 11 months ago

    Thanks Anupriya.

    Is there any documentation for the Firebase integration? Perhaps I am missing it but I’m not seeing anything related to Firebase in the dashboard or in the other integrations section.

    Thanks,
    Greg

    Anupriya
    # 6 years, 11 months ago

    Hi Greg,

    For a Firebase integration, we are currently handling individual use cases on a case to case basis. That is the reason you could not find documentation. Could tell me more about your Firebase application? Please explain your usecase.

    Thanks,
    Anupriya

    Greg
    # 6 years, 11 months ago

    Hi there,

    I cant disclose very much information about it as we are under NDA; however, I can say that it needs to integrate with an existing ADFS 2.0 SAML SSO installation. The firebase app is currently using Firebase email/password based auth, and we would like to modify it to use SAML SSO. I would like more information about how this can be accomplished using your solution.

    Thanks,
    Greg

    Anupriya
    # 6 years, 11 months ago

    Hi Greg,

    Your use case can be accomplished in the following manner –

    1. We will give you a code snippet that you need to include in your firebase app. This code snippet will know how to delegate authentication to our SAML service and then how to receive the response and read the token from it and then use the token to authenticate into your Firebase app.
    2. In the background, we will let you configure an ADFS on our SAML service so that the authentication can be delegated to it.
    3. The communication between our SAML service and ADFS will be in SAML and the communication between Firebase app and our SAML service will be using HTTPS protocol. The token that we will send you is going to be a JWT token.

    Please let me know your thoughts.

    Thanks,
    Anupriya

    Greg
    # 6 years, 11 months ago

    Hi Anupriya,

    We are getting closer to moving forward with this solution. One thing Id like to determine is the best way to handle this in a multi-tenant architecture. Let me describe what we are trying to do and you can tell me if this is something that’s supported.

    This application is a firebase app that already in production. For the users at some clients of this app, they will need to authenticate against that clients ADFS server. Other users might need to authenticate against another ADFS server, and others might not need to authenticate against ADFS at all.

    Is there some way that we could have the SAML/ADFS authentication work against multiple different ADFS servers on the back end so that we can support this for multiple organizations?

    Thanks,
    Greg

    Anupriya
    # 6 years, 11 months ago

    Hi Greg,

    We do support multiple Identity Providers (like ADFS) and authenticating users in different IDPs based on their domain. Do your users, who will authenticate from 2 different ADFS, have different domains (eg. john@example.com – example is the domain)?

    Also, since you mentioned that not all users will be authenticated by SSO and some will login via Firebase’s username and password, do you plan to add a button to the login page for other users to SSO? If not, how do you plan to segregate the two types of users?

    Thanks,
    Anupriya

    Greg
    # 6 years, 11 months ago

    Hi Anupriya,

    Unfortunately, not all users that would be hitting our app for one client would have a domain name in common. Most users would, but there will be some outliers.

    Each client will have a separate domain name when they hit the service – so people from client ABC would hit abc.platformname.com and people from client XYZ would hit xyz.platformname.com.

    Aside from segregating users by domain name in their email address, do you offer any other mechanism that we could use to support different ADFS backends for each client given what I have described above?

    Thanks,
    Greg

    Anupriya
    # 6 years, 11 months ago

    Hi Greg,

    We do offer another way for users to SSO, using the discovery service. In the discovery service, your users will be shown the option to select from the two IDPs instead of auto-redirecting to one on the basis of domains.

    As for the domain solution, if users are a part of a couple of domains which will be unique for that client, domain mapping method would work for SSO. Is that the case or do some of the users have domains which aren’t unique?

    Thanks,
    Anupriya

    Greg
    # 6 years, 11 months ago

    Is there a way for us to programatically choose a particular IDP and force the users to use that one? That would work as we could force users that are hitting abc.platformname.com to use ABC IDP, and force users hitting xyz.platformname.com to use XYZ IDP.

    Unfortunately for the users that aren’t part of the client domain, they could have a completely random email address – gmail/hotmail/etc.

    Thanks,
    Greg

    Anupriya
    # 6 years, 11 months ago

    Hi Greg,

    It is possible to support it by redirecting to separate URLs to identify which ADFS to redirect to.
    We would need to make a few changes in our system to facilitate that.
    Thanks,
    Anupriya

    Greg
    # 6 years, 11 months ago

    Hi Anupriya,

    Just wanted to follow up to clarify a few things:

    1. How close are you to being able to allow us to redirect to separate URLs to identify which ADFS IDP a particular user will authenticate against?

    2. Just wanted to verify that your service works with ADFS 2.0? (I know I specified this in the email thread below, but not sure that it was ever confirmed that you do support ADFS 2.0)

    Thanks,
    Greg

    Anupriya
    # 6 years, 11 months ago

    Hi Greg,

    – We are just a couple of days from releasing this feature. Once that’s ready, we will be able to redirect you to separate IDPs using different URLs.
    – Yes, we support applications which support SSO using SAML 2.0 like ADFS 2.0.

    I have a doubt regarding the application using which you will redirect the user, is that your website or the app which you mentioned earlier, which uses firebase?

    Thanks,
    Anupriya

    Greg
    # 6 years, 11 months ago

    Hi Anupriya,

    The application that we are using is a Firebase web app.

    Thanks,
    Greg

Viewing 15 posts - 1 through 15 (of 30 total)

You must be logged in to reply to this topic.