The Web Forms and MVC example identity and service providers demonstrate single sign-on with Windows Active Directory Federation Services (ADFS).
The following sections describe the configuration for the Web Forms example identity provider and service provider but, with the appropriate changes, apply equally to the MVC examples.
Configuring the Identity Provider
The following sections describe interoperability between the example identity provider and ADFS acting as the relying party (i.e. service provider).
The saml.config file includes the following entry for the ADFS partner service provider.
http://adfs.test/adfs/services/trust"
WantAuthnRequestSigned="false"
SignResponse="false"
SignAssertion="true"
EncryptAssertion="false"
AssertionConsumerServiceUrl="https://adfs.test/adfs/ls/"/>
The name must match with the issuer name ADFS uses in the authn request. For example, if ADFS is deployed to the myadfs server then the name must be http://myadfs/adfs/services/trust.
The web.config’s PartnerSP setting specifies the partner service provider for IdP-initiated SSO and should be set to http://adfs.test/adfs/services/trust.
http://adfs.test/adfs/services/trust"/>
The web.config’s TargetUrl setting specifies, for IdP-initiated SSO, the relying party configured in ADFS and should be set to RPID=ExampleServiceProvider.
The RPID syntax is specific to ADFS. If not specified then ADFS will convert the IdP-initiated SSO into SP-initiated SSO.
Configuring ADFS – Adding a Claims Provider
To support IdP-initiated SSO, edit the ADFS web.config at C:\inetpub\adfs\ls. In the microsoft.identityServer.web, add the following entry:
If not enabled, ADFS will convert IdP-initiated SSO into SP-initiated SSO.
In the ADFS terminology, the identity provider is a claims provider. Using the ADFS management console, add a claims provider trust for the identity provider.
Note that strings in ADFS, including URLs, are case sensitive.
Confirm that the /adfs/ls endpoint for SAML v2.0 exists. If it doesn’t, refer to the ADFS documentation.
Confirm that the service communications, token decrypting and token encrypting certificates exist. If they don’t, refer to the ADFS documentation.
Add a claims provider trust and select the option to enter the claims provider information manually.
Specify a display name. The display name does not have to match with any other configuration.
Choose the ADFS profile.
Enable support for SAML v2.0 and specify the identity provider’s SSO service URL. ADFS sends the authn request to this URL. For example:
https://cs.test/ExampleIdentityProvider/SAML/SSOService.aspx
Specify the claims provider trust identifier. This identifier must match the issuer field in the authn request sent by the service provider. The IdentityProvider name attribute in the saml.config configuration file is used as the issuer and so this name and the claims provider trust identifier must match.
For example, if the saml.config includes:
Then the claims provider trust identifier must be:
urn:componentspace:ExampleIdentityProvider.
Browse to idp.cer to specify it as the token signing certificate. Ignore any warnings about the key length.
ADFS uses the token signing certificate to verify the SAML assertion signature.
Review the configuration and close the wizard.
The identity provider should be included in the list of claims provider trusts.
Although the SAML v2.0 component supports SHA-256 signatures, for this example SHA-1 is used. To specify this, open the claims provider trusts’ properties and, under the Advanced tab, select SHA-1.
Edit the claim rules and add a rule. Use the pass through template.
Add a rule to pass through the Name ID. Ignore any warning.
Running the Identity Provider with IdP-Initiated SSO
In this example, the user logs in at the identity provider and initiates SSO to ADFS. ADFS forwards this to the specified service provider. The asserted identity, passed to the service provider in a SAML assertion, is used to perform an automatic login at the service provider.
Browse to https://cs.test/ExampleIdentityProvider, ignoring any browser certificate warnings.
Click the link to single sign-on to the service provider.
You should then be presented with the service provider’s default page.
Troubleshooting ADFS SSO
Configuration errors will result in a cryptic message displayed in the browser by ADFS. To troubleshoot configuration and other problems, refer to the ADFS event log.
ADFS metadata may be viewed at the FederationMetadata/2007-06/FederationMetadata.xml endpoint. For example:
https://adfs.test/FederationMetadata/2007-06/FederationMetadata.xml