Scenario:
Internal ADFS 2.0 RP-STS
Web application number 1 ASP.net configured for claims based auth in same domain as internal ADFS, RP at internal ADFS.
Web app. number 2 ASP.net also worked with internal ADFS
External ADFS 2.0 Idp-STS in DMZ, external AD in DMZ to host partner accounts
internal ADFS proxy in DMZ
external ADFS proxy in DMZ
Federated trust configured between internal and external
Remote internal users access https://web1.abc.com/?whr=http://internaladfs.abs.com/adfs/services/trust login to internal ADFS proxy and SSO to web1 app OK
from web1 app, user opens a link to web2 app OK. All is well for inernal remote users.
Partners opens https://web1.abc.com/?whr=http://externaladfs.abs.com/adfs/services/trust, get prompt to log in at external ADFS proxy and SSO to web1 app OK.
from web1 app, open link to web2 app partner gets prompt to log in to internal ADFS.
But if partner user directly opens https://web2.abc.com/?whr=http://externaladfs.abc.com/adfs/services/trust, after login to external ADFS proxy web2 opens OK
This tell me the web2 link at web1.abc.com does not smart enough to know who's the IdP so is there a way to automatically insert the correct whr Idp for partners when opens web2 URL while on web1 session?
FYI, both web1 and web2 are go through UAG, may be UAG can add the correct whr parameter by looking at the header? if UAG seeing header withhttps://web1.abc.com/?whr=http://externaladfs.abc.com/adfs/services/trust then add the whr to web2 URL?
Appreciate any comments
Thanks