ADFS v.2.0 transitive trust in a federation scenario

Posted by masi on Server Fault See other posts from Server Fault or by masi
Published on 2012-08-30T20:13:36Z Indexed on 2012/08/30 21:40 UTC
Read the original article Hit count: 289

Currently i'm working with ADFS to establish a federated trust between two separated domains. My question is simple: does ADFS v. 2.0 support transitive trust across federated identity providers? I know that ADFS v 1.0 does not, as stated in this document on page 9. But when looking on the claims rules that come with ADFS 2.0 it seems to be possible, as a Microsoft partner confirmed.

However: the documentation on this topic is a mess! Simply no ADFS v. 2.0 related statements on this topic that i was able to find (IF you got any documentation on this PLEASE help me out guys!).

To be more clear, lets assume this scenario:

Federation provider (A) trust federation provider (B) which trusts identity provider (C). So, does (A) trust identities comming from (C) across (B)?

Also, if it is possible there are some things that i'm specially interested in:

  • Is it possible to restrict the transitive trust in ADFS in any way? If so, how?
  • How does the transitive trust affect the Issuer and OriginalIssuer properties of the claims?
  • If transitive trust is used together with claims transformations and provider (B) would transform incomming claims from (C) in a way that they are transformed into (new) claims of same type an value, how would this affect the Issuer and OriginalIssuer properties?

© Server Fault or respective owner

Related posts about active-directory

Related posts about authentication