I'm trying to configure our MVC 5 web site for single sign on (SSO) with an on premise ADFS server, which is a running Windows Server 2012 R2. The server is configured to accept OAuth2 authentication so that both our web site and mobile devices can authenticate with the server. In the past, I've had no issue hooking up to an on premise ADFS server using WS Federation; however, this is a different ADFS server and allows for OAuth2 authentication, which is needed by our mobile devices.
I've tried the following with a new blank web site:
- UseOpenIdConnectAuthentication - I tried this first because it works in Azure; however, Open ID Connect is only supported with Windows Server 2016 and above.
- UseActiveDirectoryFederationServicesBearerAuthentication - I tried following this example; however, I can't follow the wizard steps since they have changed in VS2015. I configured the OWIN pipeline as he suggest; however, if I watch the network traffic in Chrome, it doesn't even appear to be talking to the ADFS server. I just get a "You are not authorized" error.
I was thinking about having the IT guys turn on WS Federation for the web site; however, I'm not sure if the mobile devices could be rerouted to the ADFS server and do OAuth2 authentication if the web site is using WS Federation. Thus, I'd like to get OAuth2 working for both but I'm having no luck with it.
Update July 7, 2017
I'm reading Vittorio Bertocci's book "Modern Authentication with Azure Active Directory for Web Applications". In it he does a little history of ADFS v2 (Windows Server 2008 R2) and ADFS "v3" (Windows Server 2012 R2). On page 55, he states that from a .NET development perspective WS-Federation is on the only supported protocol. All others require a lot of hand-tooling. This explains why WS-Federation worked for me and why this question can't get an answer because there are no .NET libraries to help with ADFS other than WS-Federation until you upgrade your server to Windows Server 2016 at which point you can use Open ID Connect.
