Directory Programming .NET

I have a requirement to provide web content at multiple domain urls. For example, users going to www.acme.com should see the same content as users going to www.contoso.com.

There is a AD forest with with multiple domains(acme.com and contoso.com) all of which have transitive trusts. Acme.com is serving the web content. Kerberos (constrained delegation) is enabled via a UAG array for SSO so the web application can provide services from SAP seamlessly. All this means that when a user visits one of the urls above, they authenticate to the respective AD domain, get a browser cookie and are good to go . . . until such time as they hit a link to another domain. For example, the user signs into www.contoso.com and then clicks a link that has acme.com in it. At this point the cookie doesn't recognize acme.com and prompts the user to authenticate to this new realm. Because of constrained delegation, we cannot pass the kerb ticket via a trusted path even though they are in the same forest with a transitive trust.

So the question is, could we use ADFS to provide trusted claims between the domains so users would not be asked to reauthenticate?

Your setup isn't clear to me. Are you still looking for an answer? But I know nothing about UAG so if that's it, then not for me.

The only limit to providing the same content under two names for ADFS is the SSL certificate. If you can display the content with different names under different https:// links then ADFS should be able to do SSO.

Yes, I'm still looking for an answer. Please let me know what is not clear and I will try to provide more details.

I don't believe the issue is just SSL certs but primarily the cookies based on this post: http://www.joekaplan.net/KeepYourCookiesStraightWhenUsingADFS.aspx

If the cookie stores one domain and you click a link that has a different domain (but one that you want to provide access to because it is the same content), how you can do this without having to reauthenticate?

There are several cookies. After authentication at an ADFS server there is a session cookie for that ADFS server. In a cross post the SAML Token goes to the application, which sets its own cookie. When you hit the second application, you will be redirected to the ADFS server (indeed for authentication). But because there is a session cookie, you don't need to reauthenticate again with a password at the ADFS server. The ADFS server does a cross post to the second application which will set its own cookie.

Okay, so is there a domain/realm that the session cookie is based on? And if so, would changing that domain also change my session cookie and require reauthenticating?

A session cookie is specific for an application (called path) on a server (called domain). Authentication is done against an AD Domain (sometimes called a realm). If you logon once and have the proper setup of your ADFS servers then Single Sign On (implemented with the ADFS session cookie) will make sure that you authenticate only once. No matter what server you are going to.

If you want to visit different servers with different identities (at the same time) then most of the time you need to open a new browser session and do a second logon (at, possibly, another AD Domain/realm).