Ever have one of those days where you swear that you've written something, but can't find it? I could have sworn that I wrote this article before. Ah well.
It makes a lot of sense to use ACS to manage Identity Providers. It also makes sense to use Active Directory for letting users sign in to your cloud application. Therefore we would hope that ACS and ADFS play nicely together. It turns out they do. in a previous post I talked about federating ACS and ADFS, where ACS is an identity provider to ADFS. Now lets reverse it. We want users to be redirected to ACS, then to ADFS to sign in.
First things first. Lets log into our ACS namespace and navigate to the Identity Provider section, and then Add an Identity Provider:
From there we want to select what type of provider to use, and in this case we will select WS-Federation:
We are now provided with a form to fill out. There are five properties: Display Name, WS-Federation metadata, Login Link text, Image Url, and Email domain names.
Display name is fairly straightforward. What do you want the internal name of this IdP to be?
Next we need to provide a link to the Federation Metadata document that ADFS provides. The path is https://adfs.domain.com/FederationMetadata/2007-06/FederationMetadata.xml.
Then we give it a public name, such as "ObjectSharp Internal Users".
If we want to use an image instead if showing text, we can provide a path to the image.
Finally we are asked for a semicolon separated list of email domains. This may seem a bit confusing at first. Basically, it allows us to filter out the IdP from the Home Realm Discovery page, and requires that the user enter in their email address. That way, instead of seeing the "ObjectSharp Internal Users" link, we are provided a text box, where we need to enter an email address like firstname.lastname@example.org. ACS will then look up the domain in their list, and if there is a reference to it, it will redirect to the IdP.
This takes care of the ACS bit. just like in the previous post, you need to tell the other IdP about the other. So we need to tell ADFS that ACS will be calling. This is pretty simple. We just need to add a relying party to ADFS using the ACS metadata. You can find the ACS metadata under Application Integration:
There isn't much to federating ADFS to ACS and vice-versa.