Hello everyone,
There is a situation: Service Provider application that uses SSO integration with ADFS (as an example, no matter what IdP will be chosen) is developed. This application provides the possibility for a user to configure all needed information about IdP via application UI (Name, SingleSignOnServiceUrl, and so on). The following option arises: a user can input information, not about ADFS IdP but about any other possible IdP (e.g. Okta) when integration with ADFS is only supported.
Is there a way of checking IdP information to identify the type of IdP?
Thank you, Dmitry!
Hi Dmitry,
I’m not aware of any way to guarantee the supplied information refers to an ADFS instance rather than some other IdP.
ADFS URLs etc follow a standard pattern. The entity ID/provider name format is “<a href=“http:///adfs/services/trust””>http:///adfs/services/trust" and URLs are “<a href=“https:///adfs/ls/”.”>https:///adfs/ls/". However, it is possible to configure ADFS to use a different name and URLs.
You could ask the user to confirm the information if it doesn’t follow this pattern but I wouldn’t prevent them entering different information just in case they’ve configured ADFS in a non-standard manner.
[quote][/quote]
Hi Dmitry,
I'm not aware of any way to guarantee the supplied information refers to an ADFS instance rather than some other IdP.
ADFS URLs etc follow a standard pattern. The entity ID/provider name format is "http:///adfs/services/trust" and URLs are "https:///adfs/ls/". However, it is possible to configure ADFS to use a different name and URLs.
You could ask the user to confirm the information if it doesn't follow this pattern but I wouldn't prevent them entering different information just in case they've configured ADFS in a non-standard manner.
I'm not aware of any way to guarantee the supplied information refers to an ADFS instance rather than some other IdP.
ADFS URLs etc follow a standard pattern. The entity ID/provider name format is "http:///adfs/services/trust" and URLs are "https:///adfs/ls/". However, it is possible to configure ADFS to use a different name and URLs.
You could ask the user to confirm the information if it doesn't follow this pattern but I wouldn't prevent them entering different information just in case they've configured ADFS in a non-standard manner.
Got it, thank you for the response!
Whether this situation (possible customization of IdP URL) is relevant for other SSO solutions like Azure AD and Okta? Maybe in the case of Azure AD and Okta, it is possible to find find a constant template for EntityId validation.
For cloud offerings like Azure AD and Okta they tend to follow a standard pattern. However, this is by convention and there’s nothing to say they couldn’t change this.
[quote]
[/quote]
Thank you for the response!
You’re welcome.