In ADFS, you can alter the default authentication chain by changing the order of the local authentication types.
<localAuthenticationTypes>
<add name="Integrated" page="auth/integrated/" />
<add name="Forms" page="FormsSignIn.aspx" />
<add name="TlsClient" page="auth/sslclient/" />
<add name="Basic" page="auth/basic/" />
</localAuthenticationTypes>
But what if your WIF application wants to do something different e.g. the ADFS
above wants Integrated but you want Forms?
The trick is to alter the application’s web.config.
<federatedAuthentication> <wsFederation passiveRedirectEnabled="true" issuer="https://xxx/adfs/ls/"
realm="https://xxx/app/" authenticationType="urn:oasis:names:tc:SAML:1.0:am:
password" requireHttps="true" /> <cookieHandler requireSsl="true" /> </federatedAuthentication>
The allowable types for authenticationType:
urn:federation:authentication:windows
User name/password authentication i.e. Forms:
urn:oasis:names:tc:SAML:1.0:am:password
SSL client authentication:
urn:ietf:rfc:2246
As for the WIF claims:
Windows integrated authentication:
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod =
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows
User name/password authentication i.e. Forms:
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod =
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
Also refer:
Windows Identity Foundation (WIF): How to Utilize the WS-Federation WAUTH Parameter to Specify an Authentication Type.
Enjoy!
No comments:
Post a Comment