We have an ASP.NET (4.5) web app using Forms authentication and custom database to authenticate users. Our client uses ADFS Active Directory Federation Services and would like to use ADFS users to log into our web app. I need to figure out how to map those ADFS users to our custom users in apps own database. When user attempts to access my app Login page they get re-directed to the ADFS login and once authenticated returned to my login page along with an object which would give access to some information about the authenticated user which I then need to map to the user in our web app. I'd really appreciate a simple code example which could be used with this scenario. Specifically need info on the user/principal object or something that's passed back and which I could use to uniquely identify a user and possibly a group the user belongs to than write my code to obtain the user from our database. I don't really want to make the web app ADFS aware, but I'm after something simple. That would work with this scenario.
Asked
Active
Viewed 892 times
1 Answers
0
You can make ADFS return an additional claim that will help to identity the user, e.g. email - see this answer for details. Once configured, use following code inside your controller to get email of the ADFS-authenticated user:
public static string GetAuthenticatedUserEmail()
{
return ClaimsPrincipal.Current?.Identity?.IsAuthenticated ?? false
? ClaimsPrincipal.Current.Claims
.SingleOrDefault(claim => claim.Type == ClaimTypes.Email)
?.Value
: null;
}
Also you can verify the claim issuer by following config section:
<system.identityModel>
<identityConfiguration>
...
<certificateValidation certificateValidationMode="PeerOrChainTrust" />
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://your-adfs-domain.com/adfs/services/trust">
<keys>
<add thumbprint="the thumbprint" />
</keys>
<validIssuers>
<add name="http://your-adfs-domain.com/adfs/services/trust" />
</validIssuers>
</authority>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<wsFederation issuer="https://your-adfs-domain.com/adfs/ls" realm="https://your-service-domain.com"
requireHttps="true" reply="https://your-service-domain/StartPage" passiveRedirectEnabled="true" />
<serviceCertificate>
<!-- The sertificate should have a private key -->
<certificateReference x509FindType="FindBySubjectName" findValue="some subject" storeLocation="LocalMachine" storeName="My" />
</serviceCertificate>
</federationConfiguration>
</system.identityModel.services>
Finally you can map the user to your table by the retrieved email (or another claim).
-
Thanks for your answer and the link which is great. Now given that I have installed WIF SDK and added the STS reference to my existing web app and I have a user who is trying to access it. How can I get my Login.aspx.cs to somehow pass the credentials to that STS service? And how do I capture back the returned ADFS token so that I can look up the Claims? – rafskiBob Oct 20 '16 at 04:41
-
@rafskiBob in standard scenario your web application shouldn't deal with user password directly. In case of unsuccessful authentication you can redirect the user to ADFS login page - see `system.identityModel.services` config section I added (`passiveRedirectEnabled="true"`). Once user gets authenticated, redirect to `reply` link occcurs. Then all the claims appears in `ClaimsPrincipal.Current` to be used inside a controller. – stop-cran Oct 20 '16 at 05:56
-
I might be misunderstanding the whole concept here. To access my application is the user redirected to be authenticated by ADSF STS than returned with a ADFS token? If so how do I need to configure my app to redirect to a spcific ADFS STS is it part of that configuration you've provided? – rafskiBob Oct 20 '16 at 05:58
-
@rafskiBob just change `your-adfs-domain.com` and `your-service-domain` on real addresses. The client redirect occurs only at first time (or in case of auth failure). In other cases client has cookies (usually `FedAuth` and `FedAuth1`) issued by your service after login on ADFS page. – stop-cran Oct 20 '16 at 06:02
-
So it's a meter of having those system.identityModel and system.identityModel.Services configurations in my web.config which will cause the redirect nothing I need to change in code? By the way ours is not an MVC just an ordinary web app. So the user gets redirected and authenticates with ADFS get's rediredted back to my login page but now ClaimsPrinicipal.Current is available and I could ClaimsPrinicipal.Current.Identity.IsAuthenticated and laimsPrincipal.Current.Claims in my OnLoad method for example? – rafskiBob Oct 20 '16 at 21:18