Identity Federation

a collection of articles relating to Identity Federation infrastructure.

ADFS 2.0 – Office365 – Signout

A client reported some problems with their Sign out functionality of their Office365 solution. They were using TMG as ADFS proxy and a load balancer, so I was expecting one of those components to be the root cause. Luckily I was able to quickly cut them out of the equation by using host files for name resolution. It all came down to updating the preferred authentication method for my ADFS site, from Windows Integrated to Forms based. Now it works. User can sign out and sign in with another user, without taking over any previous sessions.
So navigate to your ../ADFS/LS site physical location and open the web.config and modify the section as below. The change is on the Forms and Integrated sections switched places. Hopefully this will save you some annoyance for your Office365 implementations.

web.config:

     <localAuthenticationTypes>
      <add name="Forms" page="FormsSignIn.aspx" />
      <add name="Integrated" page="auth/integrated/" />
      <add name="TlsClient" page="auth/sslclient/" />
      <add name="Basic" page="auth/basic/" />
    </localAuthenticationTypes>      

Update 24-April-2014
The below link describes the above for AD FS 3.0
http://blog.auth360.net/2014/01/07/first-impressions-ad-fs-and-window-server-2012-r2-part-ii/

Advertisements

SharePoint with Azure Access Control Service

This article describes the installation process of using Azure Access Control Service (ACS) as an identity provider for SharePoint. This article uses Windows Live-ID as test.

This article uses ACS as the first federator after the consuming application with reference to the below architecture.

IdentityFederation

Prerequisites:
1: Administrative access to the Azure ACS. (https://manage.windowsazure.com/)
2: Access from SharePoint solution to Azure ACS url. (Internet browsing available)
3: Access to public URL of SharePoint solution. (SharePoint exposed to the internet)

Installation SharePoint with Azure Access Control Service

Identity Federation Infrastructure – Overview

The below should give a simple overview to the infrastructure of identity federation. The approach is generic, however my experience is vastly within the Microsoft portfolio of identity federation products. The following description is from an infrastructure perspective and does not cover the solution specific elements like the claim specification e.g.

Illustrated
IdentityFederation
Directory Services: Active Directory, eDirectory, Red Hat Directory Server
Consumer: SharePoint, CRM
Federator: Active Directoy Federation Services, Azure Account Control Service, Novell Access Manager

Explained
A federator(Identity Provider) can federate its own organization identities to either another federator or to a consumer.
The relying party is created from either the consumer or another federator, to the federator providing the identities.
A federator can federate one or more organizational identities to the same consumer.