ADFS SAML SSO - ADFS as the Identity Provider/Claims Provider

Author	Message
ComponentSpace	ComponentSpace Posted 9 Years Ago #39
ComponentSpace Development Group: Administrators Posts: 3.1K, Visits: 10K	The Web Forms and MVC example identity and service providers demonstrate single sign-on with Windows Active Directory Federation Services (ADFS). The following sections describe the configuration for the Web Forms example identity provider and service provider but, with the appropriate changes, apply equally to the MVC examples. Miscellaneous Configuration For the purposes of these examples, the host name of the ComponentSpace example applications is cs.test and the host name of the ADFS server is adfs.test. If using these host names, update the Windows\System32\drivers\etc\hosts file on the test and ADFS servers to include entries for cs.test and adfs.test. For example: 192.168.1.20 cs.test 192.168.1.21 adfs.test 10.3.2 Configuring the Service Provider The following sections describe interoperability between the example service provider and ADFS acting as the claims provider (i.e. identity provider). The saml.config file includes the following entry for the ADFS partner identity provider. <PartnerIdentityProvider Name="http://adfs.test/adfs/services/trust" SignAuthnRequest="true" WantResponseSigned="false" WantAssertionSigned="true" WantAssertionEncrypted="true" UseEmbeddedCertificate="true" SingleSignOnServiceUrl="https://adfs.test/adfs/ls/"/> The name must match with the issuer name ADFS uses in the returned SAML response. For example, if ADFS is deployed to the myadfs server then the name must be http://myadfs/adfs/services/trust. The ADFS federation services properties lists the federation service identifier. The UseEmbeddedCertificate flag is set to simplify the configuration. If not set then the ADFS signature certificate needs to be imported to the service provider and configured in the SAML configuration certificate manager. The web.config’s PartnerIdP setting specifies the partner identity provider for SP-initiated SSO and should be set to http://www.idp.com/adfs/services/trust. <add key="PartnerIdP" value="http://adfs.test/adfs/services/trust"/> Configuring ADFS – Adding a Relying Party In the ADFS terminology, the service provider is a relying party. Using the ADFS management console, add a relying party trust for the service provider. Note that strings in ADFS, including URLs, are case sensitive. Confirm that the /adfs/ls endpoint for SAML v2.0 exists. If it doesn’t, refer to the ADFS documentation. Confirm that the service communications, token decrypting and token encrypting certificates exist. If they don’t, refer to the ADFS documentation. Add a relying party trust and select the option to enter the relying party information manually. Specify a display name. The display name does not have to match with any other configuration. Choose the ADFS profile.