I have recently built an asp.net mvc 5 based application in Visual Studio 2013 that uses claims based authentication by interacting with our ADFS server. We use ADFS 2.0 and the server operating system is Windows 2008 R2. I followed this tutorial: http://www.cloudidentity.com/blog/2014/02/12/use-the-on-premises-organizational-authentication-option-adfs-with-asp-net-in-visual-studio-2013/ and got the application working as per my expectations. Now I am tasked with building a claims based asp.net web api service that would consumed by some of my company's intranet applications. I thought I would follow similar steps to get this done. However, when I select the Web API option, and select Authentication->Organizational Accounts->On Premises, it mentions that " ADFS in Windows Server 2012 R2 or later is required " essentially meaning that ADFS 3.0 is required. This wasn't a requirement when building the MVC application. I tried specifying ADFS 2.0 federation metadata url but it gives me an error when running the application. Would it be possible for me to use ADFS 2.0 and build a web api service using Visual Studio 2013?
Here's how I've done it in the past. I'm open to constructive criticism if someone has a better idea.
First, add the following NuGet package to your WebAPI project:
ValidatingIssuerNameRegistry
Next, comment out the body of the ConfigureAuth method in /App_Start/Startup.Auth.cs
public void ConfigureAuth(IAppBuilder app)
{
////app.UseActiveDirectoryFederationServicesBearerAuthentication(
//// new ActiveDirectoryFederationServicesBearerAuthenticationOptions
//// {
//// Audience = ConfigurationManager.AppSettings["ida:Audience"],
//// MetadataEndpoint = ConfigurationManager.AppSettings["ida:AdfsMetadataEndpoint"]
//// });
}
Next, add the following configuration sections to the top of your web.config:
<configuration>
<configSections>
<section name="system.identityModel"
type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</configSections>
<!-- The rest of your config goes here -->
</configuration>
Then, add the following application configuration values (you may also want to remove any existing entries with keys that start with "ida:")
<appSettings>
<add key="ida:FederationMetadataLocation" value="https://adfs.yourdomain.com/FederationMetadata/2007-06/FederationMetadata.xml" />
<add key="ida:Issuer" value="https://adfs.yourdomain.com/adfs/ls/" />
<add key="ida:ProviderSelection" value="productionSTS" />
</appSettings>
Then, add the following system.web values:
<system.web>
<authorization>
<deny users="?" />
</authorization>
<authentication mode="None" />
</system.web>
Finally, add the following to the end of your configuration file:
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://localhost:44444/" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://adfs.yourdomain.com/adfs/services/trust">
<keys>
<add thumbprint="1234567890123456789012345678901234567890" />
</keys>
<validIssuers>
<add name="http://adfs.yourdomain.com/adfs/services/trust" />
</validIssuers>
</authority>
</issuerNameRegistry>
<!-- if chain trust doesn't work, look at the other options for this value -->
<certificateValidation certificateValidationMode="ChainTrust" />
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="true" />
<wsFederation passiveRedirectEnabled="true" issuer="https://adfs.yourdomain.com/adfs/ls/" realm="https://localhost:44444/" requireHttps="true" />
</federationConfiguration>
</system.identityModel.services>
There are a few placeholder values above such as http://localhost:44444/
and adfs.yourdomain.com
that you'll need to provide values appropriate for your organization.
Hope this helps.
Update:
I forgot the modules:
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
<remove name="WebDavModule" />
<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
</modules>
</system.webServer>
You'll probably need to add references to System.IdentityModel and System.IdentityModel.Services to your project.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.