All geek questions in one place

How to use a business identity provider (such as ADFS2)

I am running Win 7, IIS 7.0, VS2012. I created an asp.mvc4 web application. I have ADFS2.0 on a separate VM

Use of identification and access tools in VS 2012

I select a business identifier provider (e.g. ADFS2) and type the url in the STS metadata document.

https: //server.local/federationmetadata/2007-06/federationmetadata.xml

edited web configuration

<system.web> ... <httpModules> ... <remove name="FormsAuthentication" /> </httpModules> </system.web>

and this one

 <system.webServer> ... <modules> ... <remove name="FormsAuthentication" /> </modules> </system.webServer>

It was also verified that Windows Authentication was disabled for the project.

The website redirects to a URL similar to this: http: //localhost/WebSite/login.aspx? ReturnUrl =% 2fWebSite% 2f, which has a "Resource not found" error.

What else do I need to do this job?

Microsoft doco is lightweight http://blogs.msdn.com/b/vbertocci/archive/2012/03/15/windows-identity-foundation-tools-for-visual-studio-11-part-iii-connecting-with- a-business-sts-eg-adfs2.aspx

I already had problems with the local development of STS MS Identity and Access Tool MVC 4

+4
source share
1 answer

Well, it took me a long time to figure it out, but those were the things that I did to get it to work. Much more needs to be done.

Prerequisites:

  • ADFS 2.0 is running somewhere in your domain.
  • IIS 7 with a self-signed certificate or certificate that you can use in your domain.
  • Visual Studio 2012 with the Identity and Access extension installed (version 1.0.2).
  • The MVC4 web application is configured to work in IIS.
  • Make sure that a self-signed certificate is added to the site so that you can access it through https.
  • You may need to configure the firewall settings for your computers to allow access to your ADFS 2.0 service.

At a development workstation

In the MVC4 project

  • Open the Authentication and Access dialog box by right-clicking your web project.
  • Select Use a business identity provider (for example, ADFS2)
  • Enter the path to the STS metadata document, for example. https: // {PATH TO ADFS SERVER} /FederationMetadata/2007-06/FederationMetadata.xml
  • Enter an area for your application, for example. https: // {web application url} /
  • The end slash matters.
  • Exit the dialogue by accepting these changes.

Add the following code to your project

 using System; using System.IdentityModel.Services; namespace NAMESPACE { public class FixedWsFederationAuthenticationModule : WSFederationAuthenticationModule { public override void RedirectToIdentityProvider(string uniqueId, string returnUrl, bool persist) { //This corrects WIF error ID3206 "A SignInResponse message may only redirect within the current web application:" //First Check if the request url doesn't end with a "/" if (!returnUrl.EndsWith("/")) { //Compare if Request Url +"/" is equal to the Realm, so only root access is corrected //https://localhost/AppName plus "/" is equal to https://localhost/AppName/ //This is to avoid MVC urls if (String.Compare(System.Web.HttpContext.Current.Request.Url.AbsoluteUri + "/", base.Realm, StringComparison.InvariantCultureIgnoreCase) == 0) { //Add the trailing slash returnUrl += "/"; } } base.RedirectToIdentityProvider(uniqueId, returnUrl, persist); } } }

On ADFS 2.0 Server

  • If you used a self-signed certificate, go to your https: // {web application URL} / web application and change the zone to a trusted site.
  • In the address bar of the browser, you can right-click on the certificate and install (you can install certificates only from trusted sites). The certificate must be installed in trusted root services → Registry,
  • Open the ADFS console, add the relying relying parties, with the address Federated Metadata https: // {URL of the web application} /FederationMetadata/2007-06/FederationMetadata.xml

Add some custom rules

MVC4 needs these rules to make usable ClaimsPrincipal

Add a skip rule to the Name property.

And these 2 user rules

 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = "true"); => issue(Type = "http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", Value = "true");
+6
source

Source: https://habr.com/ru/post/1446375/

More articles:


All Articles