Configuring and running the ADFS examples for ASP.NET and ASP.NET MVC on Windows Server 2016

This topic describes the conguration for the WebForm and MVC SP Provider example project. That project demonstrates SSO with Windows ADFS.

Pre-setup

In this example we assign hostname of the ADFS Example to sp.com and the ADFS server to idp.com.

If you run the example locally, you may want to update `Windows\System32\drivers\etc\hosts file on the IdP and SP machines to include entries for www.idp.com and www.sp.com. For example:

  • 192.168.100.2 www.idp.com
  • 192.168.100.3 www.sp.com

Configure and Service Provider example

The settings for the SP example are stored in its web.config file.

  • SsoBinding species the binding to use when communicating to the ADFS IDP provider. The value can either be urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect or urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
  • IdpHttpPostServiceUrl is the URL of the ADFS service when using the HTTP POST binding IdpHttpRedirectServiceUrl is the URL of the ADFS service when using the HTTP Redirect binding

Configure the ADFS server

Our SP Example acts as a relying party in the ADFS server. To add a replying trust for the SP to the ADFS service, use the ADFS management console.

In the following step, select “Enter data about the replying party manually.”

Specify ADFS relying partner

then specify a display name of the party. e.g. “www.sp.com”

In the Choose Profile step, select AD FS Profile.

Enter SP

If you want to have SAML assertion returned by ADFS encrypted, browse to SPKey.pfx to specify it as the token encryption certificate.

Enter SP

Now Enable support for SAML v2.0 WebSSO protocol and specify the service provider’s assertion consumer service URL. In our MVC example we use: www.sp.com/Service/

Enter SP

Then specify the relying party trust identier.

Enter SP

In Choose Issurance Authorization Rules, select “Permit everyone.”

Permit everyone ADFS

The list of relying party trusts should now include our newly created SP.

List of trusted ADFS parties

The authentication request sending from the SP is signed. To specify the certificate to use to validate the signature, open up the reply party trusts properties dialog and under the Signature tab add the service provider certificate.

Specify ceritificate for AD

For this example, we use SHA-1 algorithm. To do so, click on the Advanced tab and choose SHA-1. Keep in mind that ComponentPro SAML supports both SHA-1 and SHA-2 algorithms.

Then edit the claim rules and add a rule.

Edit ADFS Claim Rules

Map the Active Directory user principal name to the outgoing Name ID.

MAP AD principal ADFS Outgoing NameID

Your ADFS server should now be ready to connect with the example SP.

45-Day Money Back Guarantee

We will refund your full money in 45 days
if you are not satisfied with our products

Buy Now