Wednesday, November 11, 2015

IdentityServer : Identity Server 3 as a WS-Federation IDP with an ASP.NET MVC application

Expanding on my previous post ...

BTW : idsrv3 documentation is here.

Run up the "Self-Host with WS-Federation"  from the samples.

It runs on "https://localhost:44333/core".

Now create a new MVC project in VS. I used VS 2013 with "ASP.NET Web Application" and .NET 4.5.

On the next page, ensure "MVC" is checked and click "Change Authentication".

Select the options as per:

 The metadata address is:


Now run the project, click the "About" or "Contact" tabs and you will be redirected to identityserver3 and you'll see a login screen.

As per my previous post, use alice/alice.(You can see these in the "Users.cs" file in the self-host project).

Then you'll get an error stating that the RP is invalid.

That's because you need to add the RP to the self-host project.

You do this in "RelyingParties.cs".

new RelyingParty
    Realm = "https://localhost:44307/",
    Enabled = true,
    ReplyUrl = "https://localhost:44307/",
    TokenType = TokenTypes.Saml11TokenProfile11,
    TokenLifeTime = 1,

    ClaimMappings = new Dictionary
        { "sub", ClaimTypes.NameIdentifier },
        { "name", ClaimTypes.Name },
        { "given_name", ClaimTypes.GivenName },
        { "surname", ClaimTypes.Surname },
        { "email", ClaimTypes.Email }


The 44307 endpoint is what was generated for the MVC project.

In "Users.cs" in the self-host project, change:

new InMemoryUser{Subject = "alice", Username = "alice", Password = "alice",
 Claims = new Claim[]
     new Claim(Constants.ClaimTypes.GivenName, "Alice"),
     new Claim(Constants.ClaimTypes.FamilyName, "Smith"),
     new Claim(Constants.ClaimTypes.Name, "Alice Smith"),
     new Claim(Constants.ClaimTypes.Email, ""),

In the MVC project, change "Contacts.cshtml" to:

    ViewBag.Title = "Contact";
@model IEnumerable
    @foreach (var claim in Model)
In the HomeController.cs in the MVC project, change:

public ActionResult Contact()
      return View((User as ClaimsPrincipal).Claims);

Then run up the project, authenticate, click the "Contacts" tab and viola:


No comments: