Thursday, May 30, 2013

ADFS : Setting up a proxy


If you are planning to set up a proxy in the future, do NOT install ADFS as a single instance, non farm development only instance.

If you do this, you will not be asked for the service account.

When you set up the proxy, it will ask you for this!

Rather install ADFS as a single instance farm – even if you have no intention of ever extending the farm.

WID or SQL – makes no difference.

In this scenario, you are asked for a service account. So you know what to type when the proxy install asks you.

Obviously, you need to set up the service account beforehand – a normal account with no special privileges is fine.

The point being that the install needs to create a SPN for the federation service name and it needs a service account to hold the value!

Enjoy!

Monday, May 27, 2013

ADFS : The remote certificate is invalid according to the validation procedure


So playing around with the proxy and using self-signed certificates and get the above error.

WTF?

So Mr. Google to the rescue and there’s much discussion about disabling the chain revocation checking on the certificate on the ADFS server. This can be done through the PowerShell commands.

But there doesn’t seem to be a command to do this for the proxy.

So pull hair out and then found an entry that suggested that the key was to import the certificate of the ADFS server to the proxy but import it to the Computer Account instead of the “my user” aka “personal” aka “local” account.

Job done!

Enjoy!

Wednesday, May 22, 2013

ADFS : using the WAUTH parameter


In ADFS, you can alter the default authentication chain by changing the order of the local authentication types.

<localAuthenticationTypes>      
    <add name="Integrated" page="auth/integrated/" />
    <add name="Forms" page="FormsSignIn.aspx" />    
      <add name="TlsClient" page="auth/sslclient/" />
      <add name="Basic" page="auth/basic/" />
</localAuthenticationTypes>
 
But what if your WIF application wants to do something different e.g. the ADFS 
above wants Integrated but you want Forms?
 
The trick is to alter the application’s web.config.
<federatedAuthentication>
  <wsFederation passiveRedirectEnabled="true" issuer="https://xxx/adfs/ls/" 
realm="https://xxx/app/" authenticationType="urn:oasis:names:tc:SAML:1.0:am:
password" requireHttps="true" />  <cookieHandler requireSsl="true" />
</federatedAuthentication>
 
The allowable types for authenticationType:
 
Windows integrated authentication:
urn:federation:authentication:windows

User name/password authentication i.e. Forms:
urn:oasis:names:tc:SAML:1.0:am:password

SSL client authentication:
urn:ietf:rfc:2246

As for the WIF claims:

Windows integrated authentication:

http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod =
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows


User name/password authentication i.e. Forms:

http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod =
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password


Also refer:
Windows Identity Foundation (WIF): How to Utilize the WS-Federation WAUTH Parameter to Specify an Authentication Type.

Enjoy!