Service provider of Archer SSO Federation implementation
I want to implement the Archer SSO with Federation service with multiple domains/ADFS. After studying the existing Archer resources online, I have some questions:
- Suppose the IDP is responsible to transfer the LDAP attributes to outgoing claim type, e.g. from User-Principle-Name to ADFS 1x UPN, from Surname to http://schemas.xmlsoap.org/claims/LastName. Then the Service provider (SP) will set Archer as Relying Party Trust and “Pass Through or Filter Incoming Claims” to Archer, e.g. UPN, http://schemas.xmlsoap.org/claims/LastName. The question is, if we use the Home country's ADFS server as the SP, the users in home country will not be a IDP and hence cannot be authenticated. Is this correct? If yes, does it mean we need to setup a new AD+ADFS as the SP for Archer?
- Or can the SP work as the IDP at the same time?
- If user in other country access Archer, they still need to enter their login/password which is different from windows authentication(no need to enter login credential for Windows Authentication). Is that correct?
I have moved this thread to the https://community.rsa.com/community/products/archer-grc/archer-customer-partner-community?sr=search&searchId=c0f8c4e0-6fbc-427e-9131-2d4eb93e2047&searchIndex=0 so that you can get an answer to your question.