Handling ADFS Requestion Via the AssertionConsumerService.aspx (on Service Provider)

HI Guys,

Very new to SSO, I have the web forms example (IDP) authenticating to my ASP NET website (SP) via the AssertionConsumerService.aspx and a certificate.

My goal now is to reuse the code in my ASP NET web page (AssertionConsumerService.aspx) to allow a client to connect via ADFS. Will this work if I provide him with the certificate file and add the ADFS config to my SAML.config file? He provided me a meta data file that was able to import and convert to a SAML.config that I used in SAML PartnerIdentityProvider settings.

Also is there an example that would mimic a ADFS SSO from the IDP side to my SP for testing?

Sorry very new to this any help would be much appreciated.

- Adam

Hi Adam
It will work but it sometimes takes a little tweaking to get the configuration right in ADFS.
Any issues on the ADFS server may be identified through the ADFS Windows event log.
We don’t really provide a way to mimic ADFS other than setting the configuration for the example IdP to be similar to that for ADFS. In other words, have your entries as similar as possible.
I suggest taking a look at section 10.4 of our Developer Guide PDF. This describes interoperability with ADFS including the configuration of ADFS.
If you run into any issues, as I mentioned, ask the IdP to take a look at the ADFS Windows event log.
Of course, if you’re stuck, please contact us for assistance.

Thank you for the response it was very helpful.

After speaking with our client I think I see the underlying issue. I was wondering if you could read the below and tell me if this is how most cases are handled and if its supported by your code.

This is how I thought it would work:

1. Client Makes Request to ADFS for Site
2. ADFS redirects client to Application Assertion Consumer Service with SSO Token (certificate, attributes, etc.)
3. Application authenticates and logs in user

The client is telling me:

1. Client makes request to Application
2. Application tells client they need SSO token (not sure how it knows this)
3. Client requests token from their internal ADFS server
4. ADFS server gives client Assertion Consumer Service URL and SSO Token
5. Client makes request again to Application but now uses Assertion Consumer Service URL and Token
6. Application authenticates and logs in user

Can you tell me if this is what you have seen in the past? How would the application tell the requesting browser that he needs the SSO URL and Token?

Any help would be much appreciated.

Thanks,

Adam

Hi Adam
We haven’t seen that flow. It’s not a SAML v2.0 SSO flow. It sounds a little like WS-Trust with a request to ADFS to return a SAML assertion token. However, it’s then mixed with what seems to be SAML SSO.
The three steps you listed are correct.

Thanks again. We are going to try a redirect to see what happens.

If the user clicks the link to go to our site and we then redirect them to their idP is there any special type of redirect needed (some thing like 'SingleLogoutService.SendLogoutRequestByHTTPRedirect'?
I think this is called SP-initiated SSO, the idP would then provide a token for this user with all the info.

- Adam

The SingleLogoutService.SendLogoutRequestByHTTPRedirect is part of the SAML low-level API.
We recommend using the SAM high-level API wherever possible as it’s easier to use.
To send a logout request you would call SAMLServiceProvider.InitiateSLO.
For SP-initiated SSO, you call SAMLServiceProvider.InitiateSSO.
This will send a SAML authn request to ADFS.
Depending on the SAML binding specified in the SAML configuration, the authn request either will be sent via an HTTP-Redirect or HTTP-Post.
The default is to use HTTP-Redirect.
You’ll see this demonstrated in the SAML high-level API ExampleServiceProvider project.