Can we add IDP as claims provider in ADFS

Hi team,

We are exploring component space single sign on for ADFS integration. We have following requirement please let us know whether it is possible or not. SP(https://service provider) added as Relying Party and IDP(https://identityprovider) added as Claims provider.
1. Browse SP which was added as Relying Party in ADFS.
2. Login selection will open asking to select either Active Directory or IDP.
3. We will select IDP, it should open IDP login page and user will enter credentials.
4. After that it should log into SP website.

Please let us know how we can achieve this.

Thanks & Regards,
RK

Yes, that’s certainly possible.
Please refer to section 10.4 of our Developer Guide PDF which you’ll find in the product Documentation folder.
This describes how to configure the ExampleServiceProvider as a relying party and the ExampleIdentityProvider as a claims provider.
The flows we demonstrate are independent of each other but there’s no reason why you can’t combine them as you describe.

[quote]
ComponentSpace - 9/18/2017
Yes, that's certainly possible.
Please refer to section 10.4 of our Developer Guide PDF which you'll find in the product Documentation folder.
This describes how to configure the ExampleServiceProvider as a relying party and the ExampleIdentityProvider as a claims provider.
The flows we demonstrate are independent of each other but there's no reason why you can't combine them as you describe.
[/quote]

Thanks for reply.
We configured by following the section 10.4. SP is added as ADFS RP and IDP added as Claims Provider.
But When we select IDP to login we are getting "there is no pending service provider authentication request." error.

Regards,
RK

This error occurs if SAMLIdentityProvider.SendSSO is called but a SAML authn request has not been previously received as part of SP-initiated SSO.
Are you using the ExampleIdentityProvider project?
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning this forum post.
I’d like to see the IdP’s SAML trace.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace

[quote]
ComponentSpace - 9/18/2017
This error occurs if SAMLIdentityProvider.SendSSO is called but a SAML authn request has not been previously received as part of SP-initiated SSO.
Are you using the ExampleIdentityProvider project?
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning this forum post.
I'd like to see the IdP's SAML trace.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
[/quote]

Hi,

Yes, we are using similar to ExampleIdentityProvider project . we took ExampleIdentityProvider as base project and modified custom login page.

We added one ID parameter in Query string that is required for our custom login.
ADFS claims provider url looks like this : https://ExampleIdentityProvider/SAML/SSOService.aspx?ID='value'
Is any configuration missing either at SP or IDP?

We are getting error like below, after we click on IDP in ADFS HRD page.
SAMLIdentityProvider :ComponentSpace.SAML2.Exceptions.SAMLBindingException: The query string is missing SAMLRequest at ComponentSpace.SAML2.Bindings.HTTPRedirectBinding.ParseQueryString(String redirectURL, String messageQueryName, XmlElement& samlMessage, String& relayState, String& signatureAlgorithm, String& signature) at ComponentSpace.SAML2.Bindings.HTTPRedirectBinding.ReceiveRequest(HttpRequest httpRequest, XmlElement& samlMessage, String& relayState, String& signatureAlgorithm, String& signature) at ComponentSpace.SAML2.InternalSAMLIdentityProvider.ReceiveSSO(HttpRequest httpRequest, String& partnerSP, SSOOptions& ssoOptions) at SekurIdP.SAML.SSOService.Page_Load(Object sender, EventArgs e)


Thanks in Advance.

Regards,
RK

Thank you for the log.
The identity provider is expecting a SAML authn request to be sent by ADFS.
Instead it’s receiving a WS-Federation message which then causes the SAMLBindingException.
Please take a look at section 10.4 of our Developer Guide PDF.
The sub-section “Configuring ADFS – Adding a Claims Provider” describes how to configure a claims provider.
You need to ensure ADFS will communicate with your identity provider using SAML v2.0 SSO rather than WS-Federation.

[quote]
ComponentSpace - 9/19/2017
Thank you for the log.
The identity provider is expecting a SAML authn request to be sent by ADFS.
Instead it's receiving a WS-Federation message which then causes the SAMLBindingException.
Please take a look at section 10.4 of our Developer Guide PDF.
The sub-section "Configuring ADFS – Adding a Claims Provider" describes how to configure a claims provider.
You need to ensure ADFS will communicate with your identity provider using SAML v2.0 SSO rather than WS-Federation.
[/quote]

Thanks for the information that certainly helped us to proceed further.
Now the flow works like this : SP --> ADFS --> IDP --> ADFS -->SP.
But logged in user name is not displaying in SP Page, IDP is sending user name to ADFS from ADFS to SP that value is not passing.
I feel something is missed, please help us if anything is missed.

Thanks in Advance.

Regards,
RK

I suspect it will be an issue with the claim mappings in ADFS.
Please take a look at the claim mapping rules for the relying party and claims provider in ADFS to ensure the user name is passed through.
The user name is called the Name ID in the ADFS mapping rules.

[quote]
ComponentSpace - 9/21/2017
I suspect it will be an issue with the claim mappings in ADFS.
Please take a look at the claim mapping rules for the relying party and claims provider in ADFS to ensure the user name is passed through.
The user name is called the Name ID in the ADFS mapping rules.
[/quote]

Thanks for the reply.

Yes claim mappings was missed in ADFS. Added Name ID, now works fine.
Can we send authenticated user privileges to SP as claims?
Once user is authenticated from IDP, it will goes to ADFS can get privileges of the authenticated user here and send that to SP?
Thanks in Advance.
Regards,
Ramakrishna K B

You can add various user properties from Active Directory. If what you’re after isn’t in the standard list of properties, you can also write custom claim rules.
The following articles describe how to do this.
https://blogs.technet.microsoft.com/askds/2011/10/07/ad-fs-2-0-claims-rule-language-primer/
https://social.technet.microsoft.com/wiki/contents/articles/4792.understanding-claim-rule-language-in-ad-fs-2-0-higher.aspx