send passive federation request to ADFS 2.0 for SAML 2.0 token

Question

Hi

I have a working ADFS machine. I want to construct a passive request that will generate a saml 2.0 token.

the following request:

https://adfstest.cld.sr/adfs/ls/?wa=wsignin1.0&wtrealm=https%3A%2F%2Flocalhost%2FPro%2FFederatedLogin.mvc&wauth=urn:oasis:names:tc:SAML:2.0:am:password

generates the error: "Microsoft.IdentityServer.Protocols.Saml.NoAuthenticationContextException: MSIS7040: None of the requested authentication types are supported by the server."

yet if I change the request to:

https://adfstest.cld.sr/adfs/ls/?wa=wsignin1.0&wtrealm=https%3A%2F%2Flocalhost%2FPro%2FFederatedLogin.mvc&wauth=urn:oasis:names:tc:SAML:1.0:am:password

It works but the token generated by ADFS is SAML 1.0.

What is the correct form to construct a request for passive federation with SAML 2.0  tokens?

Thanks

Manu

---

Manu

Answer 1

ADFS 2.0 will not send SAML2 tokens to WS-Fed RPs. It will always be a SAML1 Token.

It does (and should) use SAML2 Tokens with SAML2 protocol partners.

---

Paul Lemmers

Answer 2

Thanks Paul

The above url was not used in a WCF scenario (WS Federation) but in a simple asp.net passive web site.

Do you mean that passive federation always use SAML 1.1?

Manu

---

Manu

Answer 3

Yes.

To be as precise as I dare: ADFS 2.0 when using passive (WS-Federation 1.2, chapter 13) sends only 1.1 Tokens. There are all kind of historical reasons for that. If you really need 2.x Tokens, then you will have to use a Custom STS. Nothing against it, but why would you want to (just curious)?

---

Paul Lemmers

Answer 4

The reason that I want to do this is because we need to get an OAuth token from another STS.  That STS only supports SAML 2.0 tokens.  http://blogs.msdn.com/b/bradleycotier/archive/2012/10/28/saml-2-0-tokens-and-wif-bridging-the-divide.aspx.  This links seems to give some good details but I have not tried it out yet.