ADFS 2.0, SSO and SAML 2.0

3
votes

This is a classic example of too much information = too much confusion. I have a ASP.NET web application that uses the usual POST form authentication and would like to implement SSO. Since we're a Microsoft shop we will use the ADFS 2.0. In order to implement SSO I understand that I will need to have also WIF to process SAML requests? Do I install the WIF under the same server as the ADFS?

I still want to re-direct failed SSO requests or non SSO requests to use the form, how do I handle this?

Can someone please describe the flow?

Thanks!

2
single-sign-onadfs2.0saml-2.0

2 Answers

1
votes

So you are using SAML to some 3rd party STS?

WIF (out the box) does not support SAML.

There is a WIF SAML extension but this is only CTP (Community Technology Preview) at this point.

WIF is integrated with your ASP.NET application. For .NET 4 and below, there is a separate download. For .NET 4.5, it's integrated.

WIF is just a set of .NET classes inside your application.

You integrate WIF with your ASP.NET application using a tool called FedUtil which is part of the WIF SDK download. (Invoked by "Add STS" inside VS).

The ADFS install installs WIF on the server but this is seperate to your application.

The flow is:

.NET Application --> (WIF) --> (WS-Federation) --> ADFS --> (SAML) --> STS

2
votes

ADFS Supports two protocol for authenication. 1) WS-Federation Protocol 2) Web SSO SAML Protocol

*In Ws-Federation scenario* For SSO between your Application and ADFS (Build trust relationship). 

1)  Install ADFS & WIF on one server , Create some users in AD. 

2) Generate Federation Metadata.xml file in ADFS, save it one place for
future need. 

3)  Use Windows Azure Access Control Service(ACS) for
simplicity. (It will do all heavy lifting of your  authentication
process of token coming from ADFS) 

4)  Generate Federation
Metadata.xml file in ACS and Import in your ADFS server as relying
party. (give some claims as well)

[http://blogs.msdn.com/b/card/archive/2010/06/25/using-federation-metadata-to-establish-a-relying-party-trust-in-ad-fs-2-0.aspx?Redirected=true][1]

5)  Import federation metadata.xml
file from ADFS server to ACS and Add it as Identity provider. (add
claim processing rule) 

6)  Now in your web Application use WIF
FedUtil Tool and import ACS federation metadata.xml file.

That's it.. you are good to go..

For Web SSO SAML protocol you have to do manual job of coding.

UseCase:

  1. User will hit your application.

  2. User is not authenticated so he will go to ACS and ACS will redirect it to ADFS login page.

  3. User enters credentials. ADFS issue token to ACS with some claims. ACS will transform incoming ADFS claims and give it to your application.

  4. your application is now authenticated so you can use claims and do authorization stuff.

You can use URL scheme to check where this request should go to your forms authentication or ADFS authentication. eg. : http://somedomain.com/forms or http://somedomain.com/ADFS