Wednesday, May 22, 2013

ADFS : using the WAUTH parameter

In ADFS, you can alter the default authentication chain by changing the order of the local authentication types.

    <add name="Integrated" page="auth/integrated/" />
    <add name="Forms" page="FormsSignIn.aspx" />    
      <add name="TlsClient" page="auth/sslclient/" />
      <add name="Basic" page="auth/basic/" />
But what if your WIF application wants to do something different e.g. the ADFS 
above wants Integrated but you want Forms?
The trick is to alter the application’s web.config.
  <wsFederation passiveRedirectEnabled="true" issuer="https://xxx/adfs/ls/" 
realm="https://xxx/app/" authenticationType="urn:oasis:names:tc:SAML:1.0:am:
password" requireHttps="true" />  <cookieHandler requireSsl="true" />
The allowable types for authenticationType:
Windows integrated authentication:

User name/password authentication i.e. Forms:

SSL client authentication:

As for the WIF claims:

Windows integrated authentication: =

User name/password authentication i.e. Forms: =

Also refer:
Windows Identity Foundation (WIF): How to Utilize the WS-Federation WAUTH Parameter to Specify an Authentication Type.


No comments: