stackoom
  简体   繁体   中英

ADFS + IdentityServer3 + Mobile + MVC

 原文  2017-02-03 15:42:59       adfs/ identityserver3/ thinktecture

Question

I am building a prototype with the following context.

  • Two client applications (MVC & Mobile)
  • IdentityServer3 as a relying party
  • ADFS 3.0 as a identity provider
  • IdentityServer3.WsFederation plugin to provide SAML support

The MVC side is complete, but I am not sure how to approach the mobile side.

My previous attempt used a Web API and ADFS' "adfs/services/trust/13/usernamemixed" endpoint. This allowed the mobile device to send credentials to the API which then authenticated the user using ADFS's endpoint. Then it returned a JWT token to the mobile app.

We must receive SAML tokens from the Idp (could be ADFS or a different Idp), but our apps are agnostic about the type of token.

I have two question.

  1. IdentityServer3 doesn't support ws trust using the above endpoint (as far as I know), so what is the correct approach for this scenario for a mobile device login?
  2. Is the WsFederation plugin needed since IdentityServer3 might handle converting the SAML token to JWT for the client apps.

1 answers

solution1
 0  2017-02-06 13:30:56

First thing, I wouldn't recommend SAML for Mobile devices (specially native apps) as SAML assumes clients as browsers. In mobile apps, it opens a browser to authenticate which is not the best approach i feel. I would suggest using OpenID/Oauth for mobile devices.

An Idp can support multiple Sign-In protocols such as WS -Fed, SAML 2.0 or OAuth. It depends on the client to use the relevant protocol.

Coming to WS - Fed with IdentityServer3, There is an OWIN Middleware which helps in achieving it. 

 using Microsoft.Owin.Security.WsFederation;

      app.UseWsFederationAuthentication(
                    new WsFederationAuthenticationOptions
                        {
                            Wtrealm = "https://localhost:44309/core",   //identityserver3
                            Wreply = "replyaddress",
                            MetadataAddress = "https://localhost/federationmetadata.xml",
                            AuthenticationType = "adfs",
                            Caption = "ADFS",
                            SignInAsAuthenticationType = "sometype"
                        });

The above code takes you to ADFS login screen, after succesful authentication you will redirect back to Wreply address mentioned above, It retuns SAML 1.1 response. You need to parse it and use it.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Integrating IdentityServer3 with ADFS Using IdentityServer3 with Ws-Federation plugin to become in-place ADFS server for local development IdentityServer and ADFS IdentityServer4 with MIM and ADFS Federated Identity with IdentityServer and ADFS Resource Partner What functionality does ADFS provide that is not in ThinkTecture IdentityServer 2? IdentityServer4 ADFS External Not Returning Roles MVC - ADFS Authentication - ADFS redirects to localhost converting mvc 5 adfs to .net core adfs ADFS login gives error Microsoft.IdentityServer.Web.UnsupportedSamlRequestException
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM