Thursday, November 26, 2015

IdentityServer : Federation with ADFS with Identity Server 3 as the IDP

This follows on from IdentityServer : Identity Server 3 as a WS-Federation IDP with an ASP.NET MVC application so read this first for the Identity Server details.

The use case in this post is an application (RP) that trusts ADFS and ADFS has Identity Server (IS) configured as a CP.

So the authentication chain is:

RP --> ADFS --> IS

ADFS is ADFS ("AD FS") 3.0 and IS is version 3. Everything is via WS-Fed.

On the IS side, we need a new RP:

new RelyingParty
      Realm = "http://adfs.domain/adfs/services/trust",
      Enabled = true,
      ReplyUrl = "https://adfs.domain/adfs/ls/",
      TokenType = TokenTypes.Saml2TokenProfile11,
      TokenLifeTime = 1,

       ClaimMappings = new Dictionary
            { "sub", ClaimTypes.NameIdentifier },
            { "name", ClaimTypes.Name },
            { "given_name", ClaimTypes.GivenName },
            { "surname", ClaimTypes.Surname },
            { "email", ClaimTypes.Email }


There was a bug (now fixed) with ADFS importing IS metadata (refer Default metadata missing). So you can import the metadata in the normal way or you can do this manually as below.



Claims rules:

(where "P/T" is a pass-through rule).

Now we need to import the certificate manually. ADFS won't accept a pfx file.

You can get all the certificates here.

Or you can do this manually:

We need to convert the supplied idserv3test.pfx file to a .cer file.

I normally do this by importing the certificate and then exporting it as a .cer file. You will need the password to import the certificate which is "idsrv3test". (You can find this in "Certificate.cs").

(To export: in "mmc" , right-click on the certificate / All Tasks / Export / do not export the private key - choose "Base-64 encoded X509").

You could also do this with OpenSSL.

Then import this .cer certificate in the "Certificates" tab of the ADFS wizard.

OK - so run the RP - redirect to ADFS - choose IS in the Home Realm Discovery screen (assuming you have a number of CP) - redirect to IS - use the credentials "alice / alice".

ADFS throws an error. 

"An error occurred during an attempt to build the certificate chain for the claims provider trust 'https://localhost:44333/core' certificate identified by thumbprint '6B7ACC520305BFDB4F7252DAEB2177CC091FAAE1'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the claims provider trust's signing certificate revocation settings or certificate is not within its validity period.

You can use Windows PowerShell commands for AD FS to configure the revocation settings for the claims provider trust's signing certificate.
Claims provider trust's signing certificate revocation settings: CheckChainExcludeRoot
The following errors occurred while building the certificate chain: 
A certificate chain could not be built to a trusted root authority."

Not sure why this is? I've discussed this with a number of people but no real resolution. It may be a problem with my test setup?

I don't have this problem with the certificates I mint. I certainly don't want to change the revocation policies via PowerShell. So I made my own certificate, added it to the project and repeated the above. (And take note of C# : GetManifestResourceStream returns null on pfx file).

So now clear out the cookies (or use InPrivate mode), connect from the RP again and you will get the claims as per the IS setup as expected.



Anonymous said...

What program are you running that is the source of those screenshots?

Anonymous said...

What program are you using that is the source of the screenshots?

nzpcmad said...

These are all ADFS screen shots.

nzpcmad said...

If you meant - "How do I create the screenshots"? - you could use Snipping Tool in Windows. I also use Gadwin's PrintScreen Pro and SnagIt.