Monday, March 16, 2015

Setting up an ASP.NET MVC or ASP.NET Web API application with ADFS

With previously releases of Visual Studio, it was relatively difficult to set up integration with ADFS and required an intricate knowledge of Windows Identity Foundation, Claims-based Identity, WCF and SAML Authorization Tokens etc.

Fortunately, with the release of Visual Studio 2013, it is a relatively simple process to set up your application to be authenticated against ADFS (presumably ADFS v. 2.0).

Here is an article from Vittorio Bertocci (one of the primary developers on the original Windows Identity Foundation project) on how to set this up readily in Visual Studio 2013 with either ASP.NET MVC or ASP.NET Web API:

http://www.cloudidentity.com/blog/2013/10/25/securing-a-web-api-with-adfs-on-ws2012-r2-got-even-easier/

http://www.cloudidentity.com/blog/2014/02/12/use-the-on-premises-organizational-authentication-option-adfs-with-asp-net-in-visual-studio-2013/

http://www.cloudidentity.com/blog/2013/07/30/securing-a-web-api-with-windows-server-2012-r2-adfs-and-katana/

As you read over and review the article, however, there are some missing and unclear points about how to set up your Visual Studio project.  For example, the FederationMetadata.xml endpoint is a value that you will get from your Administrator, but what if you set up ADFS yourself?

Well, the default endpoint will always be in the following format:

https://<servername>/federationmetadata/2007-06/federationmetadata.xml

Therefore, if you set up your own ADFS instance, this will always be the endpoint (substitute your own ADFS Server Name).

Finally, how do you manage testing the "Logout" functionality??

Well, as it turns out, there is no "Logout" functionality in the ASP.NET MVC application when you set it up with ADFS Authentication!!!

Instead, you have to create a hyperlink to provide this functionality yourself within the ASP.NET MVC application which will basically direct you to this Url: https://<servername>/adfs/ls/?wa=wsignout1.0

Alternatively, you can simply delete the ADFS Cookie from your browser.

In addition, if you want to add support for ADFS with your ASP.NET Web API application, you will encounter the following notification:





Therefore, if you have any ADFS infrastructure older than Windows Server 2012 R2, the integration with ADFS and Web API will NOT WORK!

When attempting to authenticate your ASP.NET Web API application with an older version of ADFS, you may get the following error message:   





"An error occurred while sending the request"

If you have secured your ASP.NET MVC Web Application correctly, then when you attempt to access your ASP.NET MVC Web Application, you will see a screen similar to the following:



If you have set up your ASP.NET Web API Web Application correctly, then when you attempt to access the Web API route directly, you will get an error message like this:







1 comment: