Tuesday, December 08, 2015

IdentityServer : ASP.NET MVC application to idsrv3 to ADFS via SAMLp 2.0

This continues the series of blogs I've done on IdentityServer 3.

This scenario involves idsrv3 as both an IDP to an ASP.NET MVC application and as a RP to ADFS. Also I'm using the InMemory option.

So the authentication chain is:

RP --> WS-Fed --> IS --> SAMLp 2.0 --> ADFS

Normally you would federate to ADFS via WS-Fed. However, in this scenario I want to use the
Kentor.AuthServices SAMLp stack so I'm using ADFS as a SAMLp IDP.

ADFS is v3.0. IS is version 3. This is being invoked by the Host.Web sample in idsrv3.

This builds on  IdentityServer : ASP.NET MVC application to idsrv3 to Kentor.AuthServices via SAMLp 2.0

Note by SAMLp 2.0 I mean the SAML protocol, not the SAML token.

The code in IdentityServerExtension.cs in the Host.Configuration project of idsrv3 would look like:

var authServicesOptions = new KentorAuthServicesAuthenticationOptions(false)
    SPOptions = new SPOptions
        EntityId = new EntityId("http://localhost:44333/core")

    SignInAsAuthenticationType = signInAsType,
    AuthenticationType = "saml2p",
    Caption = "SAML2p",

Uri metadataURI = new Uri("https://adfs.local/federationmetadata/2007-06/federationmetadata.xml");

authServicesOptions.IdentityProviders.Add(new IdentityProvider(
    new EntityId("http://adfs.local/adfs/services/trust"),
        MetadataUrl = metadataURI,
        LoadMetadata = true,


Now we need to configure ADFS. The idsrv3 metadata at core/wsfed/metadata refers only to WS-Fed not to SAMLp so we need to do this manually.

From the ADFS side, idsrv3 is a RP so we need to add a new RP.

Identifier tab:

We can leave out the certificates for the purposes of this exercise.

Endpoint tab:

where the second endpoint is:


Under the Advanced tab, set the hash algorithm to SHA-1.

The claims rule mappings are exactly the same as per:

IdentityServer : ASP.NET MVC application to idsrv3 to ADFS

Then run up the MVC application. This should redirect to the idsrv3 Login screen. Click the SAML2p button, Authenticate on ADFS. You should be redirected back to the application, click the Contacts tab and you should see the claims displayed

If you want to see the actual SAML messages, use the excellent SAML tracer.


No comments: