Implementing Claims based authentication in ASP.NET WebApi using VS 2013 and ADFS 2.0

Question

I have recently built an asp.net mvc 5 based application in Visual Studio 2013 that uses claims based authentication by interacting with our ADFS server. We use ADFS 2.0 and the server operating system is Windows 2008 R2. I followed this tutorial: http://www.cloudidentity.com/blog/2014/02/12/use-the-on-premises-organizational-authentication-option-adfs-with-asp-net-in-visual-studio-2013/ and got the application working as per my expectations. Now I am tasked with building a claims based asp.net web api service that would consumed by some of my company's intranet applications. I thought I would follow similar steps to get this done. However, when I select the Web API option, and select Authentication->Organizational Accounts->On Premises, it mentions that " ADFS in Windows Server 2012 R2 or later is required " essentially meaning that ADFS 3.0 is required. This wasn't a requirement when building the MVC application. I tried specifying ADFS 2.0 federation metadata url but it gives me an error when running the application. Would it be possible for me to use ADFS 2.0 and build a web api service using Visual Studio 2013?

Answer 1

Here's how I've done it in the past. I'm open to constructive criticism if someone has a better idea.

First, add the following NuGet package to your WebAPI project:

ValidatingIssuerNameRegistry

Next, comment out the body of the ConfigureAuth method in /App_Start/Startup.Auth.cs

public void ConfigureAuth(IAppBuilder app)
{
    ////app.UseActiveDirectoryFederationServicesBearerAuthentication(
    ////    new ActiveDirectoryFederationServicesBearerAuthenticationOptions
    ////    {
    ////        Audience = ConfigurationManager.AppSettings["ida:Audience"],
    ////        MetadataEndpoint = ConfigurationManager.AppSettings["ida:AdfsMetadataEndpoint"]
    ////    });
}

Next, add the following configuration sections to the top of your web.config:

<configuration>
  <configSections>
    <section name="system.identityModel"
             type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
    <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
  </configSections>
  <!-- The rest of your config goes here -->
</configuration>

Then, add the following application configuration values (you may also want to remove any existing entries with keys that start with "ida:")

<appSettings>
  <add key="ida:FederationMetadataLocation" value="https://adfs.yourdomain.com/FederationMetadata/2007-06/FederationMetadata.xml" />
  <add key="ida:Issuer" value="https://adfs.yourdomain.com/adfs/ls/" />
  <add key="ida:ProviderSelection" value="productionSTS" />
</appSettings>

Then, add the following system.web values:

<system.web>
  <authorization>
    <deny users="?" />
  </authorization>
  <authentication mode="None" />
</system.web>

Finally, add the following to the end of your configuration file:

<system.identityModel>
  <identityConfiguration>
    <audienceUris>
      <add value="https://localhost:44444/" />
    </audienceUris>
    <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
    <authority name="http://adfs.yourdomain.com/adfs/services/trust">
        <keys>
          <add thumbprint="1234567890123456789012345678901234567890" />
        </keys>
        <validIssuers>
          <add name="http://adfs.yourdomain.com/adfs/services/trust" />
        </validIssuers>
      </authority>
    </issuerNameRegistry>
    <!-- if chain trust doesn't work, look at the other options for this value -->
    <certificateValidation certificateValidationMode="ChainTrust" />
  </identityConfiguration>
</system.identityModel>
<system.identityModel.services>
  <federationConfiguration>
    <cookieHandler requireSsl="true" />
    <wsFederation passiveRedirectEnabled="true" issuer="https://adfs.yourdomain.com/adfs/ls/" realm="https://localhost:44444/" requireHttps="true" />
  </federationConfiguration>
</system.identityModel.services>

There are a few placeholder values above such as http://localhost:44444/ and adfs.yourdomain.com that you'll need to provide values appropriate for your organization.

Hope this helps.

Update:

I forgot the modules:

<system.webServer>
  <modules>
    <remove name="FormsAuthentication" />
    <remove name="WebDavModule" />
    <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
    <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
  </modules>
</system.webServer>

You'll probably need to add references to System.IdentityModel and System.IdentityModel.Services to your project.