Tuesday, March 15, 2016

ADFS : OpenID Connect with Server 2016 TP4

There are some good articles around this:

OpenId Connect Web Sign On with ADFS in Windows Server 2016 TP3

Enabling OpenId Connect with AD FS 2016

Vittorio's article (the first one) is also good for configuring ADFS, setting up AD, promoting it as a DC etc.

I ran up the server as an Azure VM.

I used the second article.

Note that this is obviously copied and pasted from somewhere else because there are a number of errors:
  • You don't need an Azure subscription
  • You don't need to do any Web API configuration
  • You don't need the secret key, only the ClientID
But following the article, I got this sample working really quickly which shows that Server 2016 is maturing.

I added more scopes so I had:

email, profile and openid

When you run up the sample, you may get an error along the lines of:

"The certificate is invalid according to the criteria".

To fix this, you have to add the ADFS SSL certificate to the client's trusted certificate store.

After successful authentication, using the Firefox SAML tracer, look at the response and you will see a parameter called "code" and another called "id_token".

The code is the access token which you can then use if e.g. you want to call a Web API.

The id_token is Base64 encoded and in JWT format so cut and paste it into Auth0's:


and you will see something like:


  "typ": "JWT",
  "alg": "RS256",
  "x5t": "M7jHG4emiaI2_...50",
  "kid": "M7jHG4emiaI2_...50"

Payload data:

  "aud": "f93919a8-...142fdb",
  "iss": "https://myadfs.TP4.cloudapp.net/adfs",
  "iat": 1457987350,
  "exp": 1457990950,
  "auth_time": 1457987344,
  "nonce": "635935841286452744.OTI0...DNkYzJi",
  "sub": "US6dgINcoMI...Ehgw=",
  "upn": "user-xxx@dev.local",
  "unique_name": "DEV\\user-xxx",
  "c_hash": "FlQfk4V_9...-xXw"

Now if you use the code from an earlier blog post to display the claims on the "Contact" page i.e.

ViewBag.ClaimsIdentity = Thread.CurrentPrincipal.Identity; 

you'll see:
Claim Type Claim Value
aud a29a6605-.0957
iss https://myadfs.TP4.cloudapp.net/adfs
iat 1458089631
exp 1458093231
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant 1458080168
nonce 6359368642...mMy
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier 3VYhqcs/b2H6n+4L4FXmlqX5A53+lnqqwq9Ectmg+3k=
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn userxxx@dev.local
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name DEV\userxxx
c_hash YZH_zyOqt9...06Q

What's interesting is that you can't add claims rules in the ADFS wizard to a web site application group so e.g. the NameID is a GUID!

You'll notice the claims are a combination of OAuth and the old "WIF style".


No comments: