The Web Forms and MVC example identity and service providers demonstrate single sign-on with Windows Active Directory Federation Services (ADFS).
The following sections describe the configuration for the Web Forms example identity provider and service provider but, with the appropriate changes, apply equally to the MVC examples.
Configuring the Identity Provider
The following sections describe interoperability between the example identity provider and ADFS acting as the relying party (i.e. service provider).
The saml.config file includes the following entry for the ADFS partner service provider.
<PartnerServiceProvider Name="http://adfs.test/adfs/services/trust"
WantAuthnRequestSigned="false"
SignResponse="false"
SignAssertion="true"
EncryptAssertion="false"
AssertionConsumerServiceUrl="https://adfs.test/adfs/ls/"/>
The name must match with the issuer name ADFS uses in the authn request. For example, if ADFS is deployed to the myadfs server then the name must be http://myadfs/adfs/services/trust.
The web.config’s PartnerSP setting specifies the partner service provider for IdP-initiated SSO and should be set to http://adfs.test/adfs/services/trust.
<add key="PartnerSP" value="http://adfs.test/adfs/services/trust"/>
The web.config’s TargetUrl setting specifies, for IdP-initiated SSO, the relying party configured in ADFS and should be set to RPID=ExampleServiceProvider.
The RPID syntax is specific to ADFS. If not specified then ADFS will convert the IdP-initiated SSO into SP-initiated SSO.
<add key="TargetUrl" value="RPID=ExampleServiceProvider"/>
Configuring ADFS – Adding a Claims Provider
To support IdP-initiated SSO, edit the ADFS web.config at C:\inetpub\adfs\ls. In the microsoft.identityServer.web, add the following entry:
<useRelayStateForIdpInitiatedSignOn enabled="true" />
If not enabled, ADFS will convert IdP-initiated SSO into SP-initiated SSO.
In the ADFS terminology, the identity provider is a claims provider. Using the ADFS management console, add a claims provider trust for the identity provider.
Note that strings in ADFS, including URLs, are case sensitive.
Confirm that the /adfs/ls endpoint for SAML v2.0 exists. If it doesn’t, refer to the ADFS documentation.
Confirm that the service communications, token decrypting and token encrypting certificates exist. If they don’t, refer to the ADFS documentation.
Add a claims provider trust and select the option to enter the claims provider information manually.
Specify a display name. The display name does not have to match with any other configuration.
Choose the ADFS profile.
Enable support for SAML v2.0 and specify the identity provider’s SSO service URL. ADFS sends the authn request to this URL. For example:
https://cs.test/ExampleIdentityProvider/SAML/SSOService.aspx