0

When adding your Website to a new SSO (AD, Ping on this case), AD will normally ask for one thing: "Please share the Metadata URL for your site."

My application uses WS-Federation and its hosted on IIS. Its an application built in 2013 and minimal code changes are preferred.

Currently the (old) application is already enrolled in one AD that is going to be decommissioned, and the old Metadata used in 2013 is nowhere to be found. And so I need a new Metadata to provide to the new AD.

Back in 2020, I've already accomplished this, the WindowsIdentityFoundation SDK 4.0 was available on the microsoft site, and so following this: How to create federation metadata XML for "Relying Party Trust" and "Claims Provider Trusts" for ADFS 2.0 Was possible to create one FederationMetadata file completely valid and accepted by AD for an existing site to be enrolled to a new AD.

At the time I saved all the links/urls that I used, but with the SDK going out of business in late 2020, and some of the example sites, I had saved, are now Not Found. I am stuck.

Now, 2 years later, we do not have WIF SDK anymore, and here I am trying to do the same. For another address/website. To try to understand better a new approach, I tried to create a new application in Visual Studio to see what FederationMetadata.xml is generated by using the VS's Authorization and publishing. But no matter what I do, a FederationMetadata.xml is nowhere to be found, build/release folders, IIS, anywhere.

So, my question:

How to create a new application with a new FederationMetadata file?

Or even better, how to create a FederationMetadata for an already existing Website?

Thank you.

Gotham Llianen
  • 576
  • 1
  • 7
  • 19
  • Originally, you used "FedUti"l but that download has disappeared? Would this work - https://marketplace.visualstudio.com/items?itemName=AzureADDeveloperExperienceTeam.IdentityandAccessTool – rbrayb Jan 19 '22 at 23:03
  • @rbrayb yes, the SDK URL used to be this https://www.microsoft.com/en-en/download/details.aspx?id=4451 will try your thing. But currently using VS2019, will let you know how it goes. – Gotham Llianen Jan 20 '22 at 13:20
  • I would suggest you to please refer this thread : - https://stackoverflow.com/questions/27064826/how-to-create-federation-metadata-xml-for-relying-party-trust-and-claims-prov – Kartik Bhiwapurkar Jan 20 '22 at 13:32
  • @KartikBhiwapurkar-MT that is exactly the same thread that I linked on my question. And even if it wasn't, have you checked the answer? The answer that I used I explained on my question why its not working anymore. and the accepted one, goes to a 404 page. Please read the question before answering. – Gotham Llianen Jan 20 '22 at 14:45
  • Also maybe google wif "federationmetadata.xml" filetype:xml and use those as a template? – rbrayb Jan 20 '22 at 19:04
  • @KartikBhiwapurkar-MT I still havent answered because your solution requires me to know AD's Metadata (in my case Ping AD) "Once the above is done, then you can create an ADFS Federation metadata URL by going to the Endpoints section in ADFS workspace". I already asked them to send me their Metadata but they did not answer yet. Will update this once I have any update. Its funny that AD always asks for my Metadata, but then dont provide theirs lool – Gotham Llianen Feb 04 '22 at 13:16

1 Answers1

0

• Firstly, please ensure that ADFS is installed with correct settings in your environment and the ADFS service is reachable from the extranet through public DNS records configured. Once this is achieved, then please check whether your website has the correct website name configured according to the DNS of the IIS server on which it is hosted and joined to the domain.

Once the above things are working fine and are accessible from the intranet as well as extranet by adding the required DNS records in internal as well as public DNS, please ensure that system authentication and security classes regarding Windows Identity Federation framework that provide basic programming model for claims-based authentication is included in the ASP .NET MVC app or not.

• Since, as you said, the WIF SDK is out of business and no longer available, Microsoft has included the WIF classes in .NET Framework 4.5 hence forth and that should be used for claims-based identity and authentication in ASP .NET applications. So, to do this and include the required claims identity principals and assembly packages, please refer to the documentation link below for more information. It will help you in including the classes and namespaces required for security token-based authentication in your application.

https://learn.microsoft.com/en-us/dotnet/api/system.security.claims?view=netframework-4.5.2

Once the above is done, then you can create an ADFS Federation metadata URL by going to the Endpoints section in ADFS workspace. In that, go to ‘Metadata’ section and copy the link given there which states type as ‘Federation metadata’ and add your ADFS service FQDN in the link’s prefix to form the ADFS federation metadata URL, i.e., ‘https:adfsservicename.domainname.com/FederationMetadata/2007-06/FederationMetadata.xml’

• When the federation metadata URL is generated through the ADFS, then open your ASP. NET MVC application in Visual studio and change its authentication to on-premises, then configure the on-premises authority with the federation metadata URL and leave the App ID URI blank to detect the application URI name from the web.config file. Once, that is done, check the ‘System.IdentityModel’ and other classes added in the project directory. Then, configure the application as a ‘Relying Party’ in your ADFS Server and configure the SSO accordingly.

Please refer to the below link for more information on above stated steps of creating an ADFS URL for ASP .NET MVC application: -

https://www.dotnetcurry.com/windows-azure/1158/using-adfs-azure-single-signon-aspnet-mvc

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9