What is the relationship between wtrealm, WS-Federation Passive URL and Application ID?
I'm looking into ADFS integration using the Microsoft OWIN WS-Federation package, but I'm having a hard time figuring out the purpose of certain parameters from the available documentation.
We have three environments, each housed inside a completely different system to the ADFS system we are trying to authenticate with.
From my research, I have a general understanding of how the authentication process works, but I could use some clarification on where these keywords fit into the Trusting Party Trust setup process, what they are used for and what relationships between them are used to better please let us know what setting we need from the (third party) owner of the ADFS system.
- Passive WS-Federation URL
- Application ID
- The "wtrealm" parameter that is supplied as a GET parameter to the ADFS Login Portal.
I understand the wtrealm parameter matches the application id in the RPT, but where does the WS-Federation URL go? Is this the URL the client will be redirected to for authentication? In this case, do I need a separate RPT for each environment (dev, test, production)? What is the use case for multiple app IDs?
Any light dips on this will be very helpful.
source to share
This is a really confusing problem. There are different standards (SAML, WSfed, OAuth), where there are conditions for almost the same. And these terms are used / mixed instead of / together in gateways (in a mixed way). Causes confusion of terms. In addition, the configuration contains both properties (SAML token ID) and ADP / IP properties such as ADFS and Application properties (SP / RP). To add insult to injury, some people come up with their own terminology in the hope that it will clarify the situation (and not vice versa).
Each party around the world is uniquely identified by its EntityID (in WSFed and SAML metadata), must be UR I (popular UR L ). This (in WsFed) is really wtrealm = AppID.
In addition, each side has an endpoint (URL, real address) where it offers functionality (such as obtaining a SAML token). The federation address is one of them. Depending on which configuration item you are talking about, it could be IP or RP .....
Last but not least, several (sometimes the same) certificates, one of which is for signing SAML tokens and usually uniquely identifies ( belongs to) side (EntityID).
HTH,: -)
source to share