Provides a high level overview of how the Authentication process works with an ADFS non-claims aware web application.
User Authentication Sequence Diagram
The steps in the authentication process are
- A request is sent from the browser to the Web Application Proxy (WAP) to access the application URL ( for e.g. http://wap.company.com/owa )
- The WAP checks to see if there is a Kerberos ticket associated with the user session. The first time a user access the system there will be no ticket associated with the user session.
- WAP responds to browser with an HTTP redirect (302), directing the browser to the ADFS server to get authenticated
- Browser sends request to WAP to Verify authentication status via ADFS ( for e.g. http://wap.company.com/adfs )
- WAP forwards request to ADFS service
- ADFS which has been configured to use GridGuard for authentication creates a SAML Authentication Request and forwards request to the GridGuard server
- GridGuard authenticates the user based on realm level configuration settings
- GridGuard returns back the SAML Authentication response to the ADFS server
- ADFS now creates a Kerberos ticket for the user (assuming that the SAML Authn Response indicated that the user was successfully authenticated)
- ADFS returns Kerberos ticket to the WAP
- WAP now sends a browser a redirect request to redirect the user back to the original target application URL
- Browser sends a request to the Target App URL
- WAP verifies that there is a Kerberos ticket associated with user session
- WAP forwards request to the target application. Included in the request is the Kerberos ticket information
- Target application that supports Integrated Windows Authentication, accepts the Kerberos ticket, validates it and grants the user access to the system
- The secured page is returned to the WAP
- WAP forwards the secured page to the browser. The user is now logged in able to access the application.