Wednesday, May 22, 2013

ADFS : using the WAUTH parameter


In ADFS, you can alter the default authentication chain by changing the order of the local authentication types.

<localAuthenticationTypes>      
    <add name="Integrated" page="auth/integrated/" />
    <add name="Forms" page="FormsSignIn.aspx" />    
      <add name="TlsClient" page="auth/sslclient/" />
      <add name="Basic" page="auth/basic/" />
</localAuthenticationTypes>
 
But what if your WIF application wants to do something different e.g. the ADFS 
above wants Integrated but you want Forms?
 
The trick is to alter the application’s web.config.
<federatedAuthentication>
  <wsFederation passiveRedirectEnabled="true" issuer="https://xxx/adfs/ls/" 
realm="https://xxx/app/" authenticationType="urn:oasis:names:tc:SAML:1.0:am:
password" requireHttps="true" />  <cookieHandler requireSsl="true" />
</federatedAuthentication>
 
The allowable types for authenticationType:
 
Windows integrated authentication:
urn:federation:authentication:windows

User name/password authentication i.e. Forms:
urn:oasis:names:tc:SAML:1.0:am:password

SSL client authentication:
urn:ietf:rfc:2246

As for the WIF claims:

Windows integrated authentication:

http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod =
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows


User name/password authentication i.e. Forms:

http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod =
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password


Also refer:
Windows Identity Foundation (WIF): How to Utilize the WS-Federation WAUTH Parameter to Specify an Authentication Type.

Enjoy!

No comments: