OpenId Connect Web Sign On with ADFS in Windows Server 2016 TP3
Enabling OpenId Connect with AD FS 2016
Vittorio's article (the first one) is also good for configuring ADFS, setting up AD, promoting it as a DC etc.
I ran up the server as an Azure VM.
I used the second article.
Note that this is obviously copied and pasted from somewhere else because there are a number of errors:
- You don't need an Azure subscription
- You don't need to do any Web API configuration
- You don't need the secret key, only the ClientID
I added more scopes so I had:
email, profile and openid
When you run up the sample, you may get an error along the lines of:
"The certificate is invalid according to the criteria".
To fix this, you have to add the ADFS SSL certificate to the client's trusted certificate store.
After successful authentication, using the Firefox SAML tracer, look at the response and you will see a parameter called "code" and another called "id_token".
The code is the access token which you can then use if e.g. you want to call a Web API.
The id_token is Base64 encoded and in JWT format so cut and paste it into Auth0's:
http://jwt.io
and you will see something like:
Header:
{
"typ": "JWT",
"alg": "RS256",
"x5t": "M7jHG4emiaI2_...50",
"kid": "M7jHG4emiaI2_...50"
}
Payload data:
{
"aud": "f93919a8-...142fdb",
"iss": "https://myadfs.TP4.cloudapp.net/adfs",
"iat": 1457987350,
"exp": 1457990950,
"auth_time": 1457987344,
"nonce": "635935841286452744.OTI0...DNkYzJi",
"sub": "US6dgINcoMI...Ehgw=",
"upn": "user-xxx@dev.local",
"unique_name": "DEV\\user-xxx",
"c_hash": "FlQfk4V_9...-xXw"
}
Now if you use the code from an earlier blog post to display the claims on the "Contact" page i.e.
ViewBag.ClaimsIdentity = Thread.CurrentPrincipal.Identity;
you'll see:
| Claim Type | Claim Value |
|---|---|
| aud | a29a6605-.0957 |
| iss | https://myadfs.TP4.cloudapp.net/adfs |
| iat | 1458089631 |
| exp | 1458093231 |
| http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant | 1458080168 |
| nonce | 6359368642...mMy |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier | 3VYhqcs/b2H6n+4L4FXmlqX5A53+lnqqwq9Ectmg+3k= |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn | userxxx@dev.local |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name | DEV\userxxx |
| c_hash | YZH_zyOqt9...06Q |
What's interesting is that you can't add claims rules in the ADFS wizard to a web site application group so e.g. the NameID is a GUID!
You'll notice the claims are a combination of OAuth and the old "WIF style".
Enjoy!
1 comment:
When I am using SAML tracer to fetch the claims which is being passed in id_token I don't see code or id_token parameter any where in the response.
Post a Comment