Monday, December 07, 2015

IdentityServer : ASP.NET MVC application to idsrv3 to Azure Active Directory

This builds on  my previous post IdentityServer : ASP.NET MVC application to idsrv3 to ADFS but in this case we are going to use Azure AD (AAD) instead of ADFS.

This scenario involves idsrv3 as both an IDP to an ASP.NET MVC application and as a RP to AAD. Also I'm using the InMemory option.

So the authentication chain is:

RP --> IS --> AAD

IS is version 3. Everything is via WS-Fed.

I am doing this direct on idsrv3.

You should read the previous post to get the basics.

For this scenario, comment out the ADFS entry and add the AAD one as below. (don't be confused by the existing AAD entry - that's for OpenID Connect).

/*var adfs = new WsFederationAuthenticationOptions
    AuthenticationType = "adfs",
    Caption = "ADFS",
    SignInAsAuthenticationType = signInAsType,

    MetadataAddress = "https://adfs.local/federationmetadata/2007-06/federationmetadata.xml",
    Wtrealm = "urn:idsrv3rp"


var aadfed = new WsFederationAuthenticationOptions
    AuthenticationType = "aadfed",
    Caption = "Azure AD Fed",
    SignInAsAuthenticationType = signInAsType,

    MetadataAddress = "",
    Wtrealm = "https://localhost:44333/core/external/"


Now we have to configure the AAD application. The steps to get your own AAD tenant etc. are extensively documented elsewhere and out of scope for this post.

In the AAD portal, in the AD tab on the left, click on "Applications" and click "Add" at the bottom.

The name can be anything.

Sign-On URL = https:/localhost:44333/core/external/
App ID URI =   https:/localhost:44333/core/external/
Reply URL =     https:/localhost:44333/core/external/

Then save the Application.

Now click on the application in the Application list and click on "View Endpoints" at the bottom.

Copy the "Federation Metadata Document" URL and paste it in the MetadataAddress in the code above.

Then run up the MVC application. This should redirect to the idsrv3 Login screen. Click the "Azure AD Fed" button, Authenticate on AAD. You should be redirected back to the application, click the Contacts tab and you should see the claims displayed.


No comments: