Building a test claims-aware ASP.NET application and integrating it with ADFS 2.0 Security Token Service (STS)

 

We will need an ADFS (STS) in order to provide authentication services for our application.

Follow this link for instructions on setting up ADFS server.

Install IIS on the application server

clip_image001

In addition to the defaults add ASP.NET and accept the required prerequisite services to be added.

clip_image002

Also select IIS 6 Management Compatibility required by Visual Studio for publishing sites to IIS.

clip_image003

Create a DNS Alias for the Web Server host

In principal this is an optional step, since you could use the physical name of the server when requesting an SSL certificate for your application server. There are scenarios though when creating an alias might be required. For example if you are planning to publish this application through Unified Access Gateway you will need to ensure that the domain portion of the subject filed of the application server certificate matches that of the UAG trunk certificate. In general it is a good idea to leverage aliases as opposed physical names.

For more details on how to publish claims-aware applications via UAG, see this link

clip_image004

Request a certificate for the Application Web Server

clip_image005

Add HTTPS Binding on the Application Web Server

clip_image006

 

Install Visual Studio 2010 on the Application Web Server

Alternatively  you could create an application from your workstation and publish it to the web server.

clip_image007

 

Install Windows Identity Foundation and Windows Identity Foundation SDK

Windows Identity Foundation needs to be installed on the application server. If you are developing from your workstation install this component there as well.

clip_image008

SDK only needs to be installed on the box where you do development.

clip_image009

 

Create a test WIF Enabled ASP.NET Application

clip_image010

clip_image011

The Claims-aware ASP.NET Web Site Template is added by WIF SDK.

Setup a trust relationship from the application to the STS (ADFS) service by adding STS reference to the project.

clip_image012

clip_image013

It is important that the application URI matches what users will type to access the application as well as the subject filed of the certificate assigned to the IIS server.

clip_image014

If you don’t have ADFS Service installed and configured, see this link for instructions.

clip_image015

clip_image016

Disabling certificate validation and not enabling encryption options are only acceptable in a test environment.

For the chain validation to succeed you would need to ensure that CRL Distribution points of the signing CA of the SSL certificates are accessible by the ADFS server.

clip_image017

clip_image018

Build Web Site

clip_image019

Change Application Pools Settings

clip_image020

Make sure that the .NET version utilized by the pool matches the Windows Identity Framework version you downloaded (in my case I am using WIF for .NET 4).

clip_image021

Load User Profile advanced setting needs to be set to TRUE in order for the Web Server to be able to perform cryptographic functions while communicating with the ADFS server.

Create Relying Party Trust on ADFS server for the test application

clip_image022

clip_image023

clip_image024

clip_image025

Click on Next and then Close to launch Claims Edit Dialog.

Click on Add Rule

clip_image026

clip_image027

The choice of claims on the screenshot is arbitrary, you could choose any other claims and map them to the corresponding AD LDAP attributes and they will be sent to the application in a SAML token.

Click on Finish and then Ok

Test authentication to the application

Before testing ensure that the client trusts and can check the CRL distribution points of the SSL certificates assigned to the web and ADFS servers. Alternatively you could disable the CRL check on the browser.

If the client is in the same forest as the ADFS Server and you would like to achieve SSO than add the domain space in which the Web and ADFS servers reside to the Local Intranet zone.

clip_image028

clip_image029

If everything worked properly you should expect to see something similar to the screenshot above.