We use ADFS 3.0 (Windows 2012 R2) server to access an ASP.NET browser (.NET 4.5) application, which uses ClaimsPrincipal class (part of the Windows Identity Foundation library). The ADFS servers authenticates to our Active Directory. The ASP.NET application runs properly if we use WS-Federation sign-in protocol but fails if we use SAML sign-in protocol. The error message is not helpful "An error occurred"
The ASP.NET is a web form application, developed using VB.NET
My questions:
1) Does ADFS 3.0 with SAML sign in protocol work with ASP.NET web form application which uses ClaimsPrincipal class, which is part of the Windows Identity Foundation libraries?
2) What are the changes (as compared to WS-Federation) we must make to web config in the ASP.NET application, to us SAML sign in protocol?
Thank you.
Chong Chin
To get WS-Fed to work, you either will be using WIF or the WS-Fed NuGet OWIN package?
There is no Microsoft equivalent for SAML.
You need a SAML stack (in the same way that WIF provides a WS-Fed stack).
Related
We are looking forward to implement ADFS to implement SSO across our organization for various set of web applications such as (SAP, Siebel, Custom java based, Asp.net etc.).
I understand based on my research that ADFS can be used to achieve SSO for third party applications using SAML. It can act as an identity provider for third party applications. Please correct me if I am wrong.
Can we use the ADFS to implement cookie based SSO for the various internal web based apps which I mentioned above?? (For Ex: CA Siteminder, ORacle Access manager can work with almost every internal web based application)
In other words: we have one application using apache webserver, one using IIS webserver, one using IHS webserver; can ADFS be used to achieve Single sign on with all these applications??? If yes, How ???
Thanks in Advance...!!
Ashish
ADFS implements SSO via federation using either WS-Fed or SAML 2.0.
If these applications can support these protocols, then yes just federate these products with ADFS and you will get SSO.
e.g. SalesForce SSO with ADFS.
For Java you need a SAML stack e.g. Spring Security.
For ASP.NET, use OWIN or WIF.
I have a big project in asp.net and I want to embed ADFS in it for authentication purpose.
Please suggest some links.
Thanks
Just to clarify:
You don't embed ADFS in an ASP.NET application. You add WIF or OWIN to the application and bind this with ADFS which sits on a Windows server. The latest version is ADFS 3.0 on Windows Server 2012 R2.
How To: Build Claims-Aware ASP.NET Web Forms Application Using WIF
WS-Federation in Microsoft OWIN Components–a quick start
OWIN is the newer technology.
And then you bind your application to ADFS.
Building a test claims-aware ASP.NET application and integrating it with ADFS 2.0 Security Token Service (STS)
we have a web application(Say wA) developed in java and we need to provide SSO login from client web application(Say WB) to WA and the requirement is to do with Okta-(SAML 2.0).
Currently im having the Idp mnetadatak, IDP Single Sign-On URL and Identity Provider Issuer link created from okta
Anybody please help me on this issue , what things to do in my application side to provide SSO login felicity. how to listen SSO request from my APP (WA).
Thanks and regards
In case you would like to add SAML support directly into your application (as opposed to including it for example in reverse proxy such as Apache or IIS), you can use either Spring SAML (with minimal Spring configuration in case you don't use Spring Security already) or OpenAM's Fedlet.
Spring SAML enables applications to act as a SAML 2.0 Service Provider by initializing web single sign-on towards IDP (Okta) and accepting and validating response (SAML 2.0 Assertion) sent back from Okta.
Good approach to implement Spring SAML is to start with the quick start guide which helps you create SAML 2.0 integration with a public SAML 2.0 Identity Provider, then change the IDP to Okta and then integrate the result into your application.
It is also possible to build SAML 2.0 support from scratch (using OpenSAML library), but significant knowledge of the protocol is needed for it to be done securely.
Some application servers also include SAML support (WebLogic, WebSphere, JBoss with its PicketLink library), but such configuration is of course not portable.
This is a classic example of too much information = too much confusion.
I have a ASP.NET web application that uses the usual POST form authentication and would like to implement SSO.
Since we're a Microsoft shop we will use the ADFS 2.0. In order to implement SSO I understand that I will need to have also WIF to process SAML requests?
Do I install the WIF under the same server as the ADFS?
I still want to re-direct failed SSO requests or non SSO requests to use the form, how do I handle this?
Can someone please describe the flow?
Thanks!
ADFS Supports two protocol for authenication.
1) WS-Federation Protocol
2) Web SSO SAML Protocol
*In Ws-Federation scenario*
For SSO between your Application and ADFS (Build trust relationship).
1) Install ADFS & WIF on one server , Create some users in AD.
2) Generate Federation Metadata.xml file in ADFS, save it one place for
future need.
3) Use Windows Azure Access Control Service(ACS) for
simplicity. (It will do all heavy lifting of your authentication
process of token coming from ADFS)
4) Generate Federation
Metadata.xml file in ACS and Import in your ADFS server as relying
party. (give some claims as well)
[http://blogs.msdn.com/b/card/archive/2010/06/25/using-federation-metadata-to-establish-a-relying-party-trust-in-ad-fs-2-0.aspx?Redirected=true][1]
5) Import federation metadata.xml
file from ADFS server to ACS and Add it as Identity provider. (add
claim processing rule)
6) Now in your web Application use WIF
FedUtil Tool and import ACS federation metadata.xml file.
That's it.. you are good to go..
For Web SSO SAML protocol you have to do manual job of coding.
UseCase:
User will hit your application.
User is not authenticated so he will go to ACS and ACS will redirect it to ADFS login page.
User enters credentials. ADFS issue token to ACS with some claims. ACS will
transform incoming ADFS claims and give it to your application.
your application is now authenticated so you can use claims and do
authorization stuff.
You can use URL scheme to check where this request should go to your forms authentication or ADFS authentication.
eg. : http://somedomain.com/forms or http://somedomain.com/ADFS
So you are using SAML to some 3rd party STS?
WIF (out the box) does not support SAML.
There is a WIF SAML extension but this is only CTP (Community Technology Preview) at this point.
WIF is integrated with your ASP.NET application. For .NET 4 and below, there is a separate download. For .NET 4.5, it's integrated.
WIF is just a set of .NET classes inside your application.
You integrate WIF with your ASP.NET application using a tool called FedUtil which is part of the WIF SDK download. (Invoked by "Add STS" inside VS).
The ADFS install installs WIF on the server but this is seperate to your application.
The flow is:
.NET Application --> (WIF) --> (WS-Federation) --> ADFS --> (SAML) --> STS
We would like to use SAML 2.0 for a Single Sign On solution. As a typical Microsoft shop, we prefer to use Microsoft components as much as possible. Windows Identity Foundation supports SAML 2.0, but the extension is still in Community Technology Preview (CTP) for more than a year, with no information anywhere on future course. See http://blogs.msdn.com/b/alikl/archive/2011/05/16/windows-identity-foundation-wif-extension-for-saml-2-0-protocol-community-technology-preview-ctp.aspx
I came across an inspiring article by Michèle Bustamante: http://www.devproconnections.com/article/federated-security/generate-saml-tokens-using-windows-identity-foundation She actively promotes WIF + SAML 2.0, but nowhere in the article she talks about CTP or final release. Neither could I reach her for a clarification.
With this background, is it safe to use WIF Community Technology Preview for SAML 2.0 or stick with SAML 1.1? Does SAML 2.0 offer significant advantage over SAML 1.1? Is the future of SAML 1.1 in question?
Any other alternatives?
You should clarify whether you're talking about SAML 2.0 protocol (e.g SAMLP) or just the token type. WIF RTM supports SAML 2.0 tokens, but not SAMLP.
So if it's just SAML 2.0 token support you need, WIF RTM is sufficient, though WIF extensions CTP does add some SAMLP support.
If you're looking for a SAMLP solution and you're a Microsoft shop then you should consider ADFS 2.0.
ADFS 2.0 would do "protocol transition": it will talk SAMLP with the Identity Provider and WS-Federation with your app (both use SAML "Tokens"). WIF supports WS-Federation.
Take a look at Identity Server which is a STS that does use SQL Server for authentication. You can easily federate this with ADFS.
From what I remember about reading the licence agreement for the CTP release, it's just out there for comment - you can't use it e.g. in a Production environment.
As per #Eugenio, WIF only supports WS-Federation.
How were you intending to "stick with SAML 1.1"?
Update: What I suggest is that you use Identity Server to do the authentication against the DB. Your WIF applications are bound using FedUtil to Identity Server. You then federate Identity Server with ADFS. Your external parties use SAML to talk to ADFS and ADFS will handle the plumbing to enable them to authenticate with the Identity Server DB.
Note that WIF doesn't support SAML at all.