This project is read-only.

Project Description

a2s is a simple ASP.NET web application that reads from AD FS auto-generated metadata, and modify it for seamless use with Shibboleth SPs.

Background

AD FS 2.0 is a giant step forward to a more open identity federation platform. It has built-in support for SAML, which is also the main protocol used by Shibboleth. Shibboleth is widely deployed especially among educational institutions. It so happens that the company I work for has a federation with a cloud service that requires Shibboleth authentication, and our solution was to use AD FS 2.0 server instead of the reference IdP for Shibboleth.

To integrate ADFS with Shibboleth, however, some manual modifications need to be made to the metadata. There is a great resource on TechNet providing a step-by-step guide to setup ADFS as a claims provider to a Shibboleth Service Provider.

But this solution just won't do for production systems. Manually editing the ADFS metadata XML not only requires careful eyesight, but also basic skill set in HyperText languages like XML(sysadmins: "omg!"). Add to the fact that the ADFS metadata changes every year with certificate rollover, it can quickly become an operational nightmare.

The Solution

The TechNet guide provides a simple 8-steps process, which turns out to be only 3 separate modification to the ADFS metadata. Armed with this knowledge, I decided that it will be an almost trivial task to programatically modify the XML file each time the certificate rolls over. But since I'm at it, why not directly create a web service that modifies the metadata on-the-fly whenever an HTTP request for the shibboleth metadata comes in? Well, turns out it wasn't that trivial, programmatically tinkering with XML isn't a skill we're born with.

Hence the birth of this project. I've tried to make things as simple as possible. (I know some of you may argue that MVC is not exactly everybody's idea of a "simple" web app, but I digress...) The goal is for it to be a piece of cake to deploy. I even made it such that the standard Shibboleth /idp/shibboleth url will return the required XML.

I know there are many other aspects of this program that I can streamline, but this is a working solution, so I decided to just release a beta immediately. After all, a working solution is better than no solution, or a manual workaround. Hopefully, this project will help my counterparts, perhaps working in some other educational institutions.

Feel free to contact me if you have any suggestion(s), feature request, or if you wish to contribute to this project.

Last edited Jun 30, 2014 at 3:58 PM by januaryjon, version 3