Thursday, September 1, 2011

The quest for customizing ADFS sign-in web pages, part 4 – federation of the RP with ADFS

A quick summary – we are working on a custom STS which the ADFS will federate with. In our previous blog entry we have built a custom RP application and federated it with our custom STS.

Federation of the the RP application with ADFS should be easy. Remember that because the federation details (Issuer and Realm) are stored in the FederatedPassiveSignIn control (LoginPage.aspx in the RP application), you just have to go there and replace the values with correct ones:

<wif:FederatedPassiveSignIn ID="WSFederationLogin"             
        runat="server" 
        DisplayRememberMe="false" 
        RequireHttps="false" 
        Realm="https://customrp.mydomain.com/LoginPage.aspx"
        Issuer="https://fs.adfs.pl/adfs/ls/"
        VisibleWhenSignedIn="false">
    </wif:FederatedPassiveSignIn>    

As you can see the RP application is published on https://customrp.mydomain.com and the ADFS is published on https://fs.adfs.pl/adfs/ls/. The HTTPS for both components is important – the ADFS will not work on the HTTP binding and will not federate with an RP available via HTTP.

Then go to the microsoft.identityModel section of the RP’s web.config and set the audience Uri (the Uri the STS is allowed to point back to) to https://customrp.mydomain.com/LoginPage.aspx. 

The remaining task is to create a Relying Party Trust in the ADFS as ADFS will not return claims to an unknown relying party. To do so, open the ADFS management snapin, go to Relying Party Trust, click on “Add Relying Party Trust” and select manual configuration (since our simple RP application does not publish any metadata).

On the next tab select “ADFS 2.0 profile …”, click next and then next and stop where ADFS asks about the passive WS-Federation. Yes, you want to have the passive WS-Federation enabled, check the box in then and put “https://customrp.mydomain.com/LoginPage.aspx” as the WS-Federation Uri of this RP. Note that the Uri is case sensitive and must match the audience Uri you have provided in the RP’s configuration.

When the wizard closes (just click “next” until it does so) you will see a new configuration window where you configure claims which will be passed to your RP application. Select “passthrough claim” for “Name” and “Role” – because of the way the LDAP is configured as the claims provider, both attributes can be passed through to your RP application.

When you are done, try to log into your application. Instead of the custom STS login page, you should see the ADFS login page and when you provide valid credentials, you should be redirected to your application.

No comments: