Hi,
My internal AD users want to use a 3rd party claims based applications and authenticate using their local AD credentials. I have deployed an internal ADFS server and a WAP, both running on Windows server 2012 R2. We do not host any internal applications, we're purely using the 3rd party hosted claims application "claimsapp".
I have configured my ADFS server - the federation metada displays OK and I can login usinghttps://sts.contoso.com/adfs/ls/idpinitiatedsignon.htm
For the WAP role on 2012, I've simply installed the role on a workgroup server in my DMZ, pointed the installation wizard at my internal ADFS server, supplied the sts.contoso.com certificate and supplied local admin credentials on my internal ADFS server.
The questions I have are:
1. Do I need to do anything else on the WAP to publish my internal ADFS server? I'm assuming that the wizard automatically publishes sts.contoso.com - I want this done so that my external users at home and in coffee shops can access the 3rd party application with ADFS.
2. In a scenario of my external users using the ADFS application, am I right in thinking that the actual traffic flow is as follows:
1. My external AD user (home1) ----> claimsapp.com
2. claimsapp.com ---> home1 with message not authenticated, (provide token)
3. home1 ----> sts.contoso.com (authentication request)
4. WAP ---> internal ADFS (using pass through request)
5. Internal ADFS --> Domain Controller (authentication request on behalf of client)
6. DC --> back to internal ADFS server (authenticated)
7. Internal ADFS ---> home1 (here's token)
8. home1 ---> claimsapp. (here's token)
9. claimsapp --> home1 (access granted)
Am I right in thinking the 3rd party claimsapp.com doesn't directly talk to my WAP or ADFS server, but rather all the redirection that goes on is being done by the home1 client browser?
Thanks
IT Support/Everything