The Web Forms and MVC example identity and service providers demonstrate single sign-on with Windows Active Directory Federation Services (ADFS).
The following sections describe the configuration for the Web Forms example identity provider and service provider but, with the appropriate changes, apply equally to the MVC examples.
Miscellaneous Configuration
For the purposes of these examples, the host name of the ComponentSpace example applications is cs.test and the host name of the ADFS server is adfs.test.
If using these host names, update the Windows\System32\drivers\etc\hosts file on the test and ADFS servers to include entries for cs.test and adfs.test. For example:
192.168.1.20 cs.test
192.168.1.21 adfs.test
10.3.2 Configuring the Service Provider
The following sections describe interoperability between the example service provider and ADFS acting as the claims provider (i.e. identity provider).
The saml.config file includes the following entry for the ADFS partner identity provider.
<PartnerIdentityProvider Name="http://adfs.test/adfs/services/trust"
SignAuthnRequest="true"
WantResponseSigned="false"
WantAssertionSigned="true"
WantAssertionEncrypted="true"
UseEmbeddedCertificate="true"
SingleSignOnServiceUrl="https://adfs.test/adfs/ls/"/>
The name must match with the issuer name ADFS uses in the returned SAML response. For example, if ADFS is deployed to the myadfs server then the name must be http://myadfs/adfs/services/trust.
The ADFS federation services properties lists the federation service identifier.
The UseEmbeddedCertificate flag is set to simplify the configuration. If not set then the ADFS signature certificate needs to be imported to the service provider and configured in the SAML configuration certificate manager.
The web.config’s PartnerIdP setting specifies the partner identity provider for SP-initiated SSO and should be set to http://www.idp.com/adfs/services/trust.
<add key="PartnerIdP" value="http://adfs.test/adfs/services/trust"/>
Configuring ADFS – Adding a Relying Party
In the ADFS terminology, the service provider is a relying party. Using the ADFS management console, add a relying party trust for the service provider.
Note that strings in ADFS, including URLs, are case sensitive.
Confirm that the /adfs/ls endpoint for SAML v2.0 exists. If it doesn’t, refer to the ADFS documentation.
Confirm that the service communications, token decrypting and token encrypting certificates exist. If they don’t, refer to the ADFS documentation.
Add a relying party trust and select the option to enter the relying party information manually.
Specify a display name. The display name does not have to match with any other configuration.
Choose the ADFS profile.
Browse to sp.cer to specify it as the token encryption certificate. Ignore any warnings about the key length.
The token encryption certificate is used to encrypt the SAML assertion. The service provider decrypts the SAML assertion using the associated private key.
Enable support for SAML v2.0 and specify the service provider’s assertion consumer service URL. ADFS sends the SAML response to this URL. For example:
https://cs.test/ExampleServiceProvider/SAML/AssertionConsumerService.aspx
Specify the relying party trust identifier. This identifier must match the issuer field in the authn request sent by the service provider. The ServiceProvider name attribute in the saml.config configuration file is used as the issuer and so this name and the relying party trust identifier must match.
For example, if the saml.config includes:
<ServiceProvider Name="urn:componentspace:ExampleServiceProvider"
AssertionConsumerServiceUrl=
"~/SAML/AssertionConsumerService.aspx"/>
Then the relying party trust identifier must be:
urn:componentspace:ExampleServiceProvider.
Permit all users access to this relying party.
Review the configuration and close the wizard.
The service provider should be included in the list of relying party trusts.
The authn request sent by the service provider is signed. To specify the certificate to use to verify the signature, open the relying party trusts’ properties and, under the Signature tab, add the service provider certificate.
Although the SAML v2.0 component supports SHA-256 signatures, for this example SHA-1 is used. To specify this, under the Advanced tab, select SHA-1.
Edit the claim rules and add a rule.
Map the Active Directory user principal name to the outgoing Name ID. Map additional Active Directory attributes to include in the SAML assertion as SAML attributes.
ADFS should now be ready to communicate with the example service provider.
To review the metadata published by ADFS browse to:
https:/adfs.test/FederationMetadata/2007-06/FederationMetadata.xml
Running the Service Provider with SP-Initiated SSO
In this example, the user is attempting to access a protected resource on the service provider and, rather than performing a local login at the service provider, SSO is initiated with a local login occurring at the ADFS identity provider and the asserted identity, passed to the service provider in a SAML assertion, is used to perform an automatic login at the service provider.
Browse to https://cs.test/ExampleServiceProvider, ignoring any browser certificate warnings.
If more than one claim provider is configured on ADFS, you will be presented with the following page. Select the appropriate claim provider for authentication against Active Directory. For example, adfs.test.
You should then be presented with the identity provider login prompt.
Login using the user name and password of a user defined in Active Directory.
You should then be presented with the service provider’s default page.
This means you’ve successfully completed a SAML v2.0 SSO and are logged in at the service provider with your identity provider user name.
Running the Service Provider with IdP-Initiated SSO
In this example, the user logs in at ADFS and initiates SSO to the service provider. The asserted identity, passed to the service provider in a SAML assertion, is used to perform an automatic login at the service provider.
Browse to https://adfs.test/adfs/ls/IdpInitiatedSignon.aspx, ignoring any browser certificate warnings.
You should then be presented with the identity provider sign-in page.
Select the “sign in to this site” radio button and click the continue button.
Alternatively, selecting the “sign in to one of the following sites” radio button performs SSO to the selected service provider immediately after login.
You should then be presented with the identity provider login prompt.
Login using the user name and password of a user defined in Active Directory.
Select the service provider and click Go to initiate SSO.
You should then be presented with the service provider’s default page.
This means you’ve successfully completed a SAML v2.0 SSO and are logged in at the service provider with your identity provider user name.
Troubleshooting ADFS SSO
Configuration errors will result in a cryptic message displayed in the browser by ADFS. To troubleshoot configuration and other problems, refer to the ADFS event log.
ADFS metadata may be viewed at the FederationMetadata/2007-06/FederationMetadata.xml endpoint. For example:
https://adfs.test/FederationMetadata/2007-06/FederationMetadata.xml
Regards
ComponentSpace Development