How to authenticate user name and password against Active Directory Federation Services (ADFS)?

2
votes

I want to provide a user name and password to a .Net Console app or Web Page, to authenticate against Active Directory Federation Services. At this point all I have is https://mycompany.com/FederationMetadata/2007-06/FederationMetadata.xml, and I have valid user name and password to test.

I followed some articles, viz., https://dotnetcodr.com/2013/02/28/claims-based-authentication-in-mvc4-with-net4-5-c-part-2-storing-authentication-data-in-an-authentication-session/

I reviewed and found that, we have to add "Rely Party" in ADFS, to use ADFS as auth store.

In 2nd Link, it is using Federated IdP. Instead I want to use some console appto provide username and password and get authenticated. But it is not clear for me that, where to provide user name and password, in console app. Any help is appreciated! Thanks in advance.

1
c#.netauthenticationadfs
did you get final solution? – PreguntonCojoneroCabrón

1 Answers

0
votes

Following code works for me

using System.IdentityModel.Tokens;
using Microsoft.IdentityModel.Protocols.WSTrust;
using System.ServiceModel;
using System.ServiceModel.Security;
using WSTrustChannel = Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel;
using WSTrustChannelFactory = Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannelFactory;


namespace SOS.Tools.AdfsConnectionChecker

{
    internal class Token

    {

        public static SecurityToken GetToken(string username, string password, string tokenIssuer, string appliesTo, out RequestSecurityTokenResponse rsts)

        {
            WS2007HttpBinding binding = new WS2007HttpBinding();
            binding.Security.Message.EstablishSecurityContext = false;
            binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
            binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
            binding.Security.Mode = SecurityMode.TransportWithMessageCredential;


            var tokenIssuerUrlFormat = "https://{0}/adfs/services/trust/13/usernamemixed";
            var tokenIssuerUrl = string.Format(tokenIssuerUrlFormat, tokenIssuer);


            WSTrustChannelFactory trustChannelFactory =
                new WSTrustChannelFactory(binding, new EndpointAddress(tokenIssuerUrl));

            trustChannelFactory.TrustVersion = TrustVersion.WSTrust13;
            trustChannelFactory.Credentials.UserName.UserName = username;
            trustChannelFactory.Credentials.UserName.Password = password;

            trustChannelFactory.ConfigureChannelFactory();



            // Create issuance issuance and get security token 
            RequestSecurityToken requestToken = new RequestSecurityToken(WSTrust13Constants.RequestTypes.Issue);
            requestToken.AppliesTo = new EndpointAddress(appliesTo);

            WSTrustChannel tokenClient = (WSTrustChannel) trustChannelFactory.CreateChannel();
            SecurityToken token = tokenClient.Issue(requestToken, out rsts);
            return token;

        }

}
  • username - Domain user name (e.g Name.FamalyName@DomainName.local)
  • password - Domain user password
  • tokenIssuer - ADFS URL (adfs.somedomain.com). That ADFS should be connected to Active Directory where username is created
  • appliesTo - Applicattion you want token for (e.g. https://apps.anydomain.com/WcfService1). It has to be configured on the tokenIssuer as Rellying Party.