I have a 3rd party program that supports web SSO using SAML 1.1 (it is ready to serve as the Service Provider, in other words).
We would like to implement this SSO for our intranet users based on their Active Directory credentials. In other words, they've already logged on to their system, so let's simply use those credentials to facilitate an SSO. I am a little overwhelmed at where to begin, though.
My initial thought is that IIS / Active Directory could easily serve as the Identity Provider since IIS gives us "Integrated Windows Authentication" abilities. I would think we could just create a .NET web app that requires Integrated Authentication which simply extracts the current user ID, builds the SAML response, and re-directs the user back to the Service Provider with this SAML response to complete the SSO.
But then, my problem is that I simply have no real idea of how to go about creating this SAML response, the X.509 certs involved, etc... I am wondering if I am in over my head on this, or if creating this SAML response should be relatively easy.
Note this SSO is to be used by intranet users only, so no need to worry about federating with other companies / domains.
Another option that you may want to look into is Microsoft's Active Directory Federation Server (ADFS) 2.0.
I wouldn't bother trying to build something SAML compliant. It will take you weeks to use a toolkit and your efforts will probably only handle the one use case. Once you get something custom into place you'll soon realize the rest of your organization needs some type of SAML integration as well (either internal or externally).
The quickest (and IMHO) easiest way (and you'll come out looking like a hero) is to use something like PingFederate from www.pingidentity.com. You can have it up and running in less than a day if you know what you are doing.
Just my $0.02
HTH - Ian
AssureBridge provides a great solution that quickly and easily turns your Active Directory into a robust SAML Identity Provider (IdP). Here is how:
- Lightweight gateway easily installs on your IIS server.
- Seamless login using Active Directory as the Identity Provider (IdP).
- No knowledge of SAML is required to implement the solution.
- Passing of Active Directory user attributes to SAML based applications.
- Can allow users to securely access applications from outside your network. Options for hosting SSOExchange® as a fully-managed SaaS appliance or as a Cloud-base On-Demand service.
- Monitoring and Tracing of SSO transactions.
- No firewall modifications are needed.
- Specialty Service Provider (SP) adapters available for numerous technologies and applications
For more information visit our site: http://www.assurebridge.com/integrations/microsoft-active-directory-saml-sso-integration.