locked
WS-Fedaration with ADFS RRS feed

  • Question

  • User-814694070 posted

    Have used Microsoft.AspNetCore.Authentication.WsFedaration in ASP.NET core signon page is coming however "User.Identity.IsAuthenticated" is always showing false even after signin with ADFS. Here are the steps:

    1. Created ASP.NET Core MVC webapplication.
    2. Configured WREALM in ADFS.
    3. referred Microsoft.AspNetCore.Authentication.WsFedaration  library in the project
    4. Created Account Controller with login Logout, where Login action method would challenge for sign in
      1. return Challenge(
        new AuthenticationProperties { RedirectUri = redirectUrl },
        WsFederationDefaults.AuthenticationScheme);
    5. Startup code below 

      public void ConfigureServices(IServiceCollection services)
      {

      services.AddAuthentication(sharedOptions =>
      {
      sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
      sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
      sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
      })
      .AddWsFederation(options =>
      {
      // this is where your AppID URI goes

      options.Wtrealm = "http://XYZ-DevLocal";

      options.MetadataAddress = "https://signon.XYZ.net/federationmetadata/2007-06/federationmetadata.xml";


      })
      .AddCookie();

      services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);

      }

      // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
      public void Configure(IApplicationBuilder app, IHostingEnvironment env)
      {

      if (env.IsDevelopment())
      {
      app.UseDeveloperExceptionPage();
      }
      else
      {
      app.UseExceptionHandler("/Home/Error");
      app.UseHsts();
      }

      app.UseHttpsRedirection();
      app.UseAuthentication();
      app.UseStaticFiles();
      app.UseCookiePolicy();

      app.UsePathBase("/OneEnrollment").UseMvc(routes =>
      //app.UseMvc(routes =>
      {
      routes.MapRoute(
      name: "default",
      template: "{controller=Home}/{action=Index}/{id?}");
      // template: "{controller=Account}/{action=Login}");
      });

      }

    Monday, November 5, 2018 11:46 AM

All replies

  • User1168443798 posted

    How did you check "User.Identity.IsAuthenticated"?

    Currently, I have no environment to make a test with ADFS, but I made a test with Azure ADFS, it works correctly by checking the "User.Identity.IsAuthenticated" in the "redirectUrl" controller action block.

    Tuesday, November 6, 2018 9:12 AM
  • User-814694070 posted

    Hi,

    I have tried with AAD, configured application in Azure Active Directory. IN AAD the ReplyURL is set to http://localhost:9090/. When hitting Sign On with Authentication, its going to "http://localhost:9090/signin-wsfed" which it says 404 not found.

    How did i check in HomeController - Index method, i kept the code for "User.Identity.IsAuthenticated". In the redirectUrl mentioned as http://localhost:9090/Home/Index.

    Thanks

    Friday, November 9, 2018 11:38 AM
  • User1168443798 posted

    >>When hitting Sign On with Authentication, its going to "http://localhost:9090/signin-wsfed" which it says 404 not found.

    It seems you misconfigure the "options.MetadataAddress". 

    Check the link below for step by step.

    https://github.com/aspnet/Docs/blob/master/aspnetcore/security/authentication/ws-federation.md#azure-active-directory 

    Tuesday, November 13, 2018 8:09 AM
  • User-814694070 posted

    Hi Edward,

    I have made the sample working with Azure Active directory, but with Active Directory i see issues. When browsing URL, SignOn Page is showing up after that with correct credentails provided, browser is getting loaded with URL : https://localhost:9010/applicationname, which gives 404 error.  Here below are the details:

    1. Tested with Self Hosting Kestrel server for the application.
    2. We have configuration in ADFS where the application reply URL is configured to be "https://localhost:9010/applicationame".
    3. Https port is set to 9010 ("ASPNETCORE_HTTPS_PORT": "9010",)
    4. In Startup, UsePathBase is set as   app.UsePathBase("/applicationname").UseMvc(routes =>
      // app.UseMvc(routes =>
      {
      routes.MapRoute(
      name: "default",
      template: "{controller=Account}/{action=Login}/{id?}");
      });
    5. In the Account Login Action method had kept the challenge code                                                                                                                                                                         public IActionResult Login(string returnUrl = null)
      {
      ViewData["ReturnUrl"] = returnUrl;
      var redirectUrl = "https://localhost:9010/applicationname/Home/Index";
      return Challenge(
      new AuthenticationProperties { RedirectUri = redirectUrl },
      WsFederationDefaults.AuthenticationScheme);
      }
    6. ConfigureServices is configured as :

            

    services.AddAuthentication(sharedOptions =>
    {
    sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
    })
    .AddWsFederation(options =>
    {

    options.Wtrealm = "Exact Wrelam URL configured in ADFS";
    options.MetadataAddress = "Metadata file of ADFS";
    })
    .AddCookie();
    services.Configure<CookiePolicyOptions>(options =>
    {
    // This lambda determines whether user consent for non-essential cookies is needed for a given request.
    options.CheckConsentNeeded = context => true;
    options.MinimumSameSitePolicy = SameSiteMode.None;
    });

    7. Able to browse the metadata xml to cross check also sign on page is getting loaded.

    Noticed with Kestrel logs, Kestrel listens on Port "https://localhost:9010", is that the issue because its not listening to https;//localhost:9010/applicationame. If that is the case what should be taken care.

    Also the same setup with ADFS works with ASP.NET 4.5 application. Also the claim which is needed to be configured in ADFS for .NET Core is also configured in ADFS. 

    Friday, November 16, 2018 12:37 PM
  • User-814694070 posted

    Does any one have tried ASP.NET MVC core with ADFS. Created an application name under root folder. Please refer steps placed in detail in earlier forum post. Any thoughts are much appreciated.

    Tuesday, November 20, 2018 4:53 AM
  • User-814694070 posted

    Does any one found a way out any pointers?

    Tuesday, November 27, 2018 5:09 AM
  • User1779334324 posted

    Hello

    Did you find a way to solve your problem?

    Tuesday, February 25, 2020 6:30 PM
  • User753101303 posted

    Hi,

    It's one year old. It might be better to explain  your issue in a new thread. Check maybe https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-3.1.

    You should have a callback that allows to get more details about a possible authentication error. Also a point is to make sure the client side redirect url and the app url registered on the ADFS side is an exact match.

    Tuesday, February 25, 2020 6:54 PM