We need a middleware service, ADFS, for authenticating from ASP.NET applications to on-premise AD. You need to first install both AD and ADFS in your server. These are the services that come under Windows Server optional features. The application used here is a normal ASP.NET application.
This service should have the bare minimum configured as mentioned below.
Should have a valid domain in the Active Directory, like the below sample domain.
Valid AD Users
Configure Windows ADFS Service
This service should have the bare minimum configured as mentioned below.
Configure Basic ADFS Properties
We configured the below basic ADFS properties for our application. Federation Service display name will be displayed on the common ADFS Login page. The Federation Service name would be used in application to receive the ADFS metadata information. And, the Federation Service identifier would be uniquely identifying your ADFS service.
Configure ADFS Certificate
The authorization certificate should be purchased from the proper authority and should be added under Trusted Root Certification Authorities.
Configure Relying Party Trusts
Here, where you mention your client application identity and mention them under Relying Party Trusts, the application will launch with a URL https://localhost:44360, which has been mentioned as a Relying Party Trust by us.
Configure Claim Issuance Policy
Here, we will configure AD LDAP rules which will tell a mapping of LDAP properties against ADFS claim properties what client applications will get. We configured certain LDAP properties like below for the application.
Test ADFS Locally in Server
Here, you should test the ADFS by running https://adfsvm.scg.test.com/adfs/ls/idpinitiatedSignOn.aspx, which is a URL automatically configured after ADFS installation. If all is good, you should get a page like below to test the ADFS login.
Below, I am trying to log in using the account I created in AD i.e.
[email protected].
Please notice the below screen as it’s saying that I have logged in. Now, you are ready to use your ADFS service.
NB: For 2016, the above-mentioned testing page hasn’t been enabled by default and so you manually run below PowerShell scripts to enable it before trying to run these pages.
- Get-AdfsProperties | Select-Object EnableIdpInitiatedSignonpage
- Set-AdfsProperties –EnableIdpInitiatedSignonPage $True
Client Application Consume ADFS Service
Now, you are using a client application and trying to connect to the above mentioned ADFS, remotely. You will run your application remotely.
Locate ADFS Metadata
This is an XML Ref.; you can see in the below location of ADFS “EndPoints” tab.
You need to append this XML path with your official ADFS name. So, for our application, we used the URL. https://<<ADFS name>>/FederationMetadata/2007-06/FederationMetadata.xml
You should able to download above file locally using a browser to make sure that your connection to ADFS would be successful.
Create a Client Application
Create a normal ASP.NET application and during project template selection, change the authentication like below.
Inside "App_Start\Startup.Auth.cs, you can see that the configuration code has been automatically added like below.
This code will make to hit the ADFS service and prompt its login page if application not logged in already.
Run Client Application
Now, run your application and make sure that it’s loading with the same URL what we have configured in ADFS.
The application should automatically route to ADFS login page and we skipped a security warning in application, as our certificate is a free sample certification.
Now, you should see the same login page is coming up, what we tested inside Serve. It’s time to enter your UID/PWD what has configured in AD service, i.e.,
[email protected] and click the "Sign in" button.
You should be authenticated remotely in ADFS and automatically route to the application URL from ADFS login URL, like the below application page.
You can also read the returned ADFS claim, which has the details you have configured inside ADFS claim rule. Below are the details returned for the application, which has a format of multiple key-value pairs. Each key is in a URL format. For the application, as you can see below, we got values for the below Keys.
- nameidentifier
- emailaddress
- name
- CommonName
- Authenticationmethod
- authenticationinstant
We have the below code inside Home\ShowClaims.cshtml to read the claim details.
- @model IEnumerable<System.Security.Claims.Claim>
- <dl>
- @foreach (var claim in Model)
- {
- <dt>@claim.Type</dt>
- <dt>@claim.Value</dt>
- }
- </dl>
We used System.Security.Claims.Claim collection and then used Type and Value to display.
I attached the source code here for reference purposes. It won't run until you replace with your ADFS and use your own certificate.