ADFS + IdentityServer3 + Mobile + MVC

0
votes

I am building a prototype with the following context.

  • Two client applications (MVC & Mobile)
  • IdentityServer3 as a relying party
  • ADFS 3.0 as a identity provider
  • IdentityServer3.WsFederation plugin to provide SAML support

The MVC side is complete, but I am not sure how to approach the mobile side.

My previous attempt used a Web API and ADFS' "adfs/services/trust/13/usernamemixed" endpoint. This allowed the mobile device to send credentials to the API which then authenticated the user using ADFS's endpoint. Then it returned a JWT token to the mobile app.

We must receive SAML tokens from the Idp (could be ADFS or a different Idp), but our apps are agnostic about the type of token.

I have two question.

  1. IdentityServer3 doesn't support ws trust using the above endpoint (as far as I know), so what is the correct approach for this scenario for a mobile device login?
  2. Is the WsFederation plugin needed since IdentityServer3 might handle converting the SAML token to JWT for the client apps.
1
adfsidentityserver3thinktecture
How are you agnostic if you require SAML tokens?John Korsnes
We can use either a JWT or SAML token.user1424660

1 Answers

0
votes

First thing, I wouldn't recommend SAML for Mobile devices (specially native apps) as SAML assumes clients as browsers. In mobile apps, it opens a browser to authenticate which is not the best approach i feel. I would suggest using OpenID/Oauth for mobile devices.

An Idp can support multiple Sign-In protocols such as WS -Fed, SAML 2.0 or OAuth. It depends on the client to use the relevant protocol.

Coming to WS - Fed with IdentityServer3, There is an OWIN Middleware which helps in achieving it.

 using Microsoft.Owin.Security.WsFederation;

      app.UseWsFederationAuthentication(
                    new WsFederationAuthenticationOptions
                        {
                            Wtrealm = "https://localhost:44309/core",   //identityserver3
                            Wreply = "replyaddress",
                            MetadataAddress = "https://localhost/federationmetadata.xml",
                            AuthenticationType = "adfs",
                            Caption = "ADFS",
                            SignInAsAuthenticationType = "sometype"
                        });

The above code takes you to ADFS login screen, after succesful authentication you will redirect back to Wreply address mentioned above, It retuns SAML 1.1 response. You need to parse it and use it.