I am trying to create a ASP .NET MVC web application with .NET 4.5 that uses claims-based authentication with an ADFS 2.0.
I am following the tutorial at https://docs.microsoft.com/en-us/dotnet/framework/security/how-to-build-claims-aware-aspnet-mvc-web-app-using-wif
When I run the application, I am getting the error "Too many redirets". I suspect this is due to some wrong configuration in the application's Web.config, which is as follows:
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://application1.ourdomain.com/" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<trustedIssuers>
<add thumbprint="RTEWQ67890ABCDEFGHIJKLMNOPQRSTUVWXYZZZZ"/>
</trustedIssuers>
</issuerNameRegistry>
<certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="false" />
<wsFederation passiveRedirectEnabled="true" issuer="https://application1.ourdomain.com/trust/" realm="https://application1.ourdomain.com/" reply="https://application1.ourdomain.com/" requireHttps="false" />
</federationConfiguration>
</system.identityModel.services>
On the ADFS 2.0, the claims are configured as follows:
SigningCertificateRevocationCheck : CheckChainExcludeRoot
WSFedEndpoint : https://application1.ourdomain.com/trust/
AdditionalWSFedEndpoint : {}
ClaimsProviderName : {}
IssuanceTransformRules : @RuleTemplate = "LdapClaimsRuleTemplate"
@RuleName = "application1 Claim Rule"
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types =
("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query =
";userPrincipalName,mail,tokenGroups;{0}", param = c.Value);
ClaimsAccepted : {}
ConflictWithPublishedPolicy : False
EncryptClaims : True
Enabled : True
EncryptionCertificate :
Identifier : {urn:stsout.ourdomain.com:application1}
LastMonitoredTime : 01/01/1900 01:00:00
LastPublishedPolicyCheckSuccessful :
LastUpdateTime : 01/01/1900 01:00:00
MetadataUrl :
MonitoringEnabled : False
Name : application1 Relying Party Trust
NotBeforeSkew : 0
EnableJWT : False
AlwaysRequireAuthentication : False
Notes :
OrganizationInfo :
ImpersonationAuthorizationRules :
AdditionalAuthenticationRules :
ProxyEndpointMappings : {}
ProxyTrustedEndpoints : {}
ProtocolProfile : WsFed-SAML
RequestSigningCertificate : {}
EncryptedNameIdRequired : False
SignedSamlRequestsRequired : False
SamlEndpoints : {}
SamlResponseSignature : AssertionOnly
SignatureAlgorithm : http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
TokenLifetime : 0
AllowedClientTypes : Public
IssueOAuthRefreshTokensTo : NoDevice
AllowedAuthenticationClassReferences : {}
AutoUpdateEnabled : False
DelegationAuthorizationRules :
EncryptionCertificateRevocationCheck : CheckChainExcludeRoot
PublishedThroughProxy : True
IssuanceAuthorizationRules : @RuleTemplate = "AllowAllAuthzRule"
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit",
Value = "true");
What should the Web.config entries of issuer, realm and reply be? Is the ADFS 2.0 claim set correctly?
