Search code examples
asp.net-mvcvisual-studio-2013web-configadfs

Issue: creating AD FS claims aware application in Visual Studio 2013

I am new to trying to use AD FS and I have been running in circles.

  1. Trying to make a claims aware application
  2. The organization handles its own authentication

I have gotten my test application to verify authentication but it seems wrong.

  1. Create new application in Visual Studio
  2. Choose Web -> Visual Studio
  3. Choose .Net Framework 4.5
  4. Select ASP.Net MVC 4 Web Application
  5. Add Reference to System.Identity
  6. Add Reference to System.Identity.Services
  7. Edit my web.Config file
  8. in the configsection -- add the following
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
    
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
  1. then add
<appSettings>
    <add key="webpages:Version" value="3.0.0.0" />
    <add key="webpages:Enabled" value="false" />
    <add key="ClientValidationEnabled" value="true" />
    <add key="UnobtrusiveJavaScriptEnabled" value="true" />
    <add key="ida:FederationMetadataLocation" value="https://fedtest.xxxxxxxx.com/FederationMetadata/2007-06/FederationMetadata.xml" />
    <add key="ida:Realm" value="https://myappNameHere.xxxxxx.com" />
    <add key="ida:AudienceUri" value="http://myappNameHere.xxxxxxx.com" />
    <add key="loginUrl" value="~/Home" />
  </appSettings>
  1. Then add
     <location path="Home">
        <system.web>
            <authorization>
                <allow users="*" />
            </authorization>
        </system.web>
      </location>
        <location path="Logout.html">
        <system.web>
          <authorization>
            <allow users="*" />
          </authorization>
        </system.web>
      </location>
  1. Then add
    <system.web>
        <compilation debug="true" targetFramework="4.5" />
        <httpRuntime targetFramework="4.5" />
        <authorization>
          <deny users="?" />
        </authorization>
        <authentication mode="None" />
    </system.web>
  1. Then add
    <identityConfiguration>
            <audienceUris>
                <add value="http://myappName.xxxxxx.com/" />
            </audienceUris>`
                  
          <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
            <authority name="http://fedtest.xxxxxxx.com/adfs/services/trust">
              <keys>
                <add thumbprint="12345567890asdasfsdgdfhdfgjdf123124" />
              </keys>
              <validIssuers>
                <add name="http://fedtest.xxxxxxxx.com/adfs/services/trust" />
              </validIssuers>
            </authority>
          </issuerNameRegistry>
          <securityTokenHandlers>
            <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
            <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
          </securityTokenHandlers>
    
            <certificateValidation certificateValidationMode="None" />
        </identityConfiguration>
    </system.identityModel>
    <system.identityModel.services>
        <federationConfiguration>
            <cookieHandler requireSsl="true" />
            <wsFederation passiveRedirectEnabled="true"
                          issuer="https://fedtest.xxxxxxxxx.com/adfs/ls/"
                          realm="https://myappName.xxxxxxxx.com/"
                          reply="https://myappName.xxxxxxxxx.com/" 
                          requireHttps="true" />
        </federationConfiguration>
    </system.identityModel.services>

Why do I think all this is wrong?? Well I got all those lines of web.config from the following steps...

  1. go back to step 5 and do the following
  2. Under Tempalte click web
  3. chose the only option --- ASP.NET Web Application
  4. Wizard comes up and click the 'change Authentication'
  5. Choose Organizational accounts
  6. change drop down to 'On Premises'
  7. fill out 'On-Premises Authority'
  8. Fill out 'App ID URI'
  9. Look at web.config

But using the application that those steps produce will create a redirect loop that I have never been able to trouble shoot.

So -- suggestions on what I am doing wrong. It can't be considered right to generate the web.config in a standard way and paste it into a previous version to get it to work.

Solution

  • Okay -- what the answer ended up being...

    1) I started down this route because i kept getting a redirect loop that I thought was caused by the web.config.

    It wasn't the web.config.

    2) So create the the application as you are supposed to in VS 13 -- namely go to c# -> web -> and then click the ASP.NET Web Application and set up the on premise authentication

    3) My redirect loop was caused by multiple LDAP claims bundled together coming from AD FS

    4) Sent my claims one rule at a time and worked like magic.

    If anyone can shed light as to why this should be true I am curious.