Login as different user using ADFS Authentication

Question

I am new to using ADFS in a web application and need some help.

I have created a simple mvc web application and seem to have ADFS working (when I access the website it authenticates via the adfs server and redirects to my site). Now one of the features I want is for admins to be able to impersonate a user, on my site only so that they can see the site as if they were the impersonated user. If I login as John Smith, for example, then my HttpContext.Current.User is John Smith. I was able to do this on my old site quite easily because I could just set the auth cookie.

So the question is is there a way to do this?

Some code that may help understand my setup.

Startup.Auth.cs

public partial class Startup
{
    private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
    private static string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];

    public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions());

        app.UseWsFederationAuthentication(
            new WsFederationAuthenticationOptions
            {
                Wtrealm = realm,
                MetadataAddress = adfsMetadata
            });
    }
}

Any help would be appreciated.

Answer 1

You can't really do that. When ADFS authenticates a user it generates a signed token which is sent back to your web application. The WsFederationAuthentication middleware receives this token, validates it and creates a claims principal from it.

Your cookie middleware serializes the claims principal into a cookie that travels back and forth between the application.

To make work what you want, you would need to have ADFS issue a token for someone else. Without their credentials that will not work.

Typically, you have your application change its look and feel based on what role a user is in. You can have ADFS do a role lookup against a SQL store and have it issue different role claims for a user. That would allow you to experience the application the same way as someone else in the same role.

Answer 2

Here's how I login as a different user when using ADFS:

With ADFS 2.0 on Windows, you can configure your adfs server to use different authentication methods by changing the order of the local authentication types in the web.config file under c:\\windows\\inetpub\\adfs\\ls directory.

Method 1: When ADFS is authenticating using Windows Authentication

Open the browser using different credentials by holding SHIFT and right clicking the Browser link. Then access your app and you will be logged in with whatever creds the browser is running under.

or

Log out and/or switch user on their workstation.

Method 2: Change the ADFS server to use Forms based Authentication. Log out of the application.

Sign out of the adfs server, as well, by going to the following link:

https://{DNS_name_of_RP_STS}/adfs/ls/?wa=wsignout1.0

Then, go back to the application and log in.