We have an IdP which handles SP-initiated SSO requests from several SPs. The IdP verifies authentication of external users by communicating with a backend database via a web service. This setup is working well.
We now want to allow SP-initiated SSO to an ADFS server to authenticate internal users. I’ve done some reading, but I’m not sure how this is supposed to work. Will the ADFS server be the IdP? Or should my current IdP talk to the ADFS server in order to authenticate users?
I’m sure this is a simple question, but I’ve been unable to find a definitive answer anywhere.
You have a number of options.
The first would be to not use ADFS at all but simply authenticate users against Active Directory from your IdP.
The second option would be to have the SPs perform SP-initiated SSO directly to ADFS.
The third option is to have your IdP also act as an SP to perform SP-initiated SSO to ADFS. In other words, to external SPs your IdP acts as an IdP. Internally it acts as an SP and ADFS is the IdP.
Will the internal users be logged into Windows ie the Active Directory domain?
If so, a fourth option would be to configure your IdP for integrated windows authentication (IWA). In this case you don’t need ADFS or to authenticate against AD.
If you have any questions about any of these options please let me know.
Thank you for the detailed reply. That is enough information to get me started.