I am setting up a trust to Google Apps for my company. The documentation provided by Google has me changing some config files, and they cannot tell me whether these changes affect all trusts using our ADFS or just the Google trust. They said I need to contract my federation services provider to find out what these settings do.
The first change is to the error.aspx.cs file. Under the "Page_Load" function, I am to add the following if statement. This statement is being added (from the documentation) "to capture the exception message when a user clicks"sign out" from Google Apps. The exception message is created because ADFS 2.0 is expecting a SAML sign out request from Google Apps which is not supported. The Google Apps authentication cookies are revoked when the user clicks "sign out" in the Google Apps interface. The ADFS 2.0 authentication cookies will also be revoked when the wa=wsignout1.0 parameter is passed to the ADFS 2.0 server. You will setup this parameter in the SSO sign out URL defined later."
if (Exception.Message == "MSIS7055: Not all SAML session participants logged out properly. It is recommended to close your browser.") { Response.Redirect( System.Web.Configuration.WebConfigurationManager.AppSettings["signoutredirecturl"]); } |
Then under the same section of "Capturing Exception Message", I have to edit the web.config file. Under the "AppSettings" section of the file I need to add the following statement:
<add key="signoutredirecturl" value="https://mail.google.com/a/our.domain" />
The above 2 changes I don't think change anything for other trusts using our ADFS infrastructure, but I need to confirm this before making the changes.
I'm pretty sure the following change DOES affect every trust using the ADFS infrastructure, but I need to confirm once more. In an effort to disable integrated windows authentication, Google has me making the following change to the web.config file. Under the <localAuthenticationTypes> section, there is a line that states "<add name="Integrated" page="auth/integrated/" />. Google wants me to comment this out, by adding <!-- and --> tags around that line. I'm pretty sure this would disabled integrated windows authentication for all trusts, but I need to be sure of this.
Thanks for any information.