Eric Fleischman wrote: (...) I will jump here a little
On the SSL front, it's interesting that you see this as a strength of ADFS. I would argue the opposite. Cert infrastructures are non-trivial
AFAIK ADFS at current stage doesn't full implement WS-Security and thus we have to use SSL for all communication between ADFS parties. Element we are missing in this puzzle from WS-Security is SOAP messages encryption.
But this is only from transport security point of view.
to configure or maintain, I always saw it as a downside to ADFS that it requires one to get a PhD is certology and make this work not only for you but across organizations, assuming you use it in this way. Of course, the real solution to all of this is making a cert infrastructure as easy to run as, say, the key infrastructure that makes Kerberos "just work" for you.
Yes, Eric You are right that configuring ADFS and all this cert stuff is a pain in ... for most of people, but with only basic understanding of PKI and good documentation reading this can be configured for ADFS in few minutes (of course if you have proper certs). I think that making it more "usable", maybe through enabling auto enrollment for ADFS servers will make it better.
-- Tomasz Onyszko http://www.w2k.pl/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
