Hi,
We are planning to purchase ComponentSpace License version if our following scenarios are met. It would be great if you could assist us for the same.
Scenarios :
- Launching web application. That web app will redirect to ADFS server, user will enter the credentials on ADFS login page. On successful authentication, user will get redirected to calling web application.
- In same web application, we will be launching a windows application by passing the SAML response sent by ADFS server in step 1. Windows application will send that SAML response to WCF service. WCF service will validate that SAML response using ComponentSpace APIs in terms of true or false and forward the same result to the calling application.
- Windows application will pass username and password to WCF service. This service will validate these credentials against ADFS server using ComponentSpace APIs in terms of true or false and forward the same result to the calling application. In this case we don’t want to redirect to ADFS server. We want silent authentication (using HTTPPost).
Currently we are exploring your ADFS Low Level API where we are using HTTPPost binding. Still it is redirecting to ADFS server. Can you suggest anything to resolve this issue.
Thanks,
Lokesh.
Hi Lokesh
SSO with ADFS shouldn’t be a problem. If you run into issues it’s most likely a configuration mismatch.
You should refer to the ADFS server’s Windows event log for detailed information logged by ADFS.
I also suggest taking a look at 10.4 of our Developer Guide PDF which describes integration with ADFS including how to configure a relying party in ADFS.
My recommendation is to get this working first. I also recommend that you use the SAML high-level API for this as it’s easier to use then our low-level API.
If I understand correctly, the second requirement is to send a SAML response to a WCF service.
Could you please provide clarification on this?
Normally I wouldn’t expect the entire SAML response message to be sent.
Instead, were you looking to send the SAML assertion to the WCF service?
Is this for authentication at the WCF service? If not, could you describe the purpose of sending a SAML response or assertion to it?
Also, please note that you cannot pass the user’s name and password to ADFS for validation.
This is not supported by the SAML specification and, as far as I’m aware, it’s not supported by ADFS.
[quote]ComponentSpace - 10/21/2016
Hi Lokesh
SSO with ADFS shouldn't be a problem. If you run into issues it's most likely a configuration mismatch.
You should refer to the ADFS server's Windows event log for detailed information logged by ADFS.
I also suggest taking a look at 10.4 of our Developer Guide PDF which describes integration with ADFS including how to configure a relying party in ADFS.
My recommendation is to get this working first. I also recommend that you use the SAML high-level API for this as it's easier to use then our low-level API.
If I understand correctly, the second requirement is to send a SAML response to a WCF service.
Could you please provide clarification on this?
Normally I wouldn't expect the entire SAML response message to be sent.
Instead, were you looking to send the SAML assertion to the WCF service?
Is this for authentication at the WCF service? If not, could you describe the purpose of sending a SAML response or assertion to it?
Also, please note that you cannot pass the user's name and password to ADFS for validation.
This is not supported by the SAML specification and, as far as I'm aware, it's not supported by ADFS.
Hi
Thanks for your reply.
Can we have Web Ex call at IST time zone so that we can explain our scenarios in more details.
Thanks,
Lokesh
Please contact us by email.
This screenshot is from ADFS 2.0. If you’re using ADFS 3.0 you’ll see a different prompt.
Once the SAML authn request is sent to ADFS, it’s up to ADFS exactly how the user is prompted to login.
Using the HTTP-Post or HTTP-Redirect binding won’t affect how ADFS will prompt for the user’s credentials.
[quote]ComponentSpace - 10/25/2016
This screenshot is from ADFS 2.0. If you're using ADFS 3.0 you'll see a different prompt.
Once the SAML authn request is sent to ADFS, it's up to ADFS exactly how the user is prompted to login.
Using the HTTP-Post or HTTP-Redirect binding won't affect how ADFS will prompt for the user's credentials.
Yes we using ADFS 3.0 but not getting any prompt its simply get redirected to ADFS login page (refer below screen shot) , we don't want this redirection.
Thanks,
Lokesh
That is the prompt you get with ADFS 3.0 forms based authentication.
There are ways to customize this page but it’s still going to be an ADFS login page.
The Windows Security dialog in your post is for basic authentication.
In ADFS 2.0, the authentication method can be Integrated Windows Authentication (IWA), forms based authentication (FBA), client certificate or basic authentication.
http://social.technet.microsoft.com/wiki/contents/articles/1600.ad-fs-2-0-how-to-change-the-local-authentication-type.aspx
A quick search couldn’t find anything about configuring ADFS 3.0 to use basic authentication. It supports IWA, FBA and client certificate authentication.
In ADFS 3.0 we’ve only ever used FBA and IWA.
The following links describe configuring the authentication policies in ADFS 3.0.
https://blogs.msdn.microsoft.com/josrod/2014/10/15/enabled-forms-based-authentication-in-adfs-3-0/
https://technet.microsoft.com/en-us/library/dn486781%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396
You might be better asking in a Microsoft forum whether basic authentication is supported in ADFS 3.0.
[quote]ComponentSpace - 10/25/2016
Thanks I will try to explore above links.
One more thing we are trying to validate SAML response using your utility application "ValidateSAMLMessage" but getting following error message. Could you please assist us to resolve this issue ?
I am attaching the SAML response file for your reference.
This issue has been resolved. Please email us if you’d like an update.
[quote]ComponentSpace - 10/26/2016
This issue has been resolved. Please email us if you'd like an update.
Please send us the updates on
lokesh.zende@outlook.com or suggest how we can get it ?
Thanks,
Prayag
An update has been emailed to you.
[quote]ComponentSpace - 10/26/2016
This issue has been resolved. Please email us if you'd like an update.
After downloading this update "The method or operation not implemented" error is fixed.
But "ValidateSAMLMessage" utility is not showing any output or error message. it simply gets exited
here i am sending saml response and log files for the same.
if possible could you please share the updated source code for the application "
ValidateSAMLMessage" ?
Thanks,
Lokesh
The ValidateSAMLMessage source code wasn’t updated. The change was to the SAML2 DLL only.
When I run ValidateSAMLMessage with your SAMLResponse.txt it successfully displays the decoded SAML response XML.
I’ll email you the ValidateSAMLMessage.exe etc.
[quote]ComponentSpace - 11/7/2016
The ValidateSAMLMessage source code wasn't updated. The change was to the SAML2 DLL only.
When I run ValidateSAMLMessage with your SAMLResponse.txt it successfully displays the decoded SAML response XML.
I'll email you the ValidateSAMLMessage.exe etc.
Thanks for your reply , now we are able to execute this application properly.
Thanks,
Lokesh
[quote]ComponentSpace - 11/8/2016
Hi ,
Our central WCF service is validating SAML message . Multiple applications are calling this service to validate same SAML message.
For first application everything is working fine but when we try to validate
same SAML message from second application, we are getting below error.
"The saml assertion is being replayed" , could you please provide us any solution for this error ?
Thanks,
Lokesh
One of the security checks we make is to test if the SAML assertion has been previously received.
If it has then this is a potential replay attack and an exception is thrown accordingly.
Is the same SAML message being received just for testing? It’s not something that should happen in a production environment.
If you wish to disable this check you can by setting the DisableAssertionReplayCheck to true.
For example:
<PartnerIdentityProvider
Name=“<a href=“http://localhost/ExampleIdentityProvider””>http://localhost/ExampleIdentityProvider"
DisableAssertionReplayCheck=“true”
This check should not be disabled in a production environment.
