Adding Relying Party Trust on ADFS for the ACS namespace
We required to create Relying Party Trust for the ACS namespace, otherwise AD FS will not know where the request comes from and which URL it respond to.
Step 1: Open the AD FS 2.0 Management window by navigating Start -> Administrative Tasks -> AD FS 2.0 Management menu.
Step 2: Click the Add Relying Party Trust from the Actions panel in the right side.
The server will open the Add Relying Party Trust Wizard.
Step 3: Click Start to navigate to next screen.
Step 4: In the Select Data Source screen, make sure the Import data about the relying party published online or on a local network option selected.
Provide the WS-Federation Federation URL which we got from ACS portal in the Federation metadata address field and press Next.
Step 5: Leave or change any descriptive name for the Relying Party Trust in the Specify Display name screen.
Step 6: Press Next in the Choose Issuance Authorization Rules screen.
Step 7: Review the provided information in the Ready to Add Trust window and press Next.
Step 8: Make sure the Open the Edit Claims Rules for this relying party trust when the wizard closes option selected, and press Close.
The server will open the Edit Claims Rules window.
Step 9: Press Add Rule to add a new rule.
The server will open the Add Transform claim Rule Wizard window.
Step 10: Make sure Send LDAP Attributes as Claims selected and press Next.
Step 11: In the Configure Rule window, enter any descriptive name in the Claim rule name and select Active Directory in the Attribute Store.
Add a row in the Mapping of LDAP attributes to outgoing claim types table as below.
LDAP Attribute: Token-Groups – Unqualified Names
Outgoing Claim Type: Role
Press Finish.
Step 12: Server will add the rule and show the rule in the Edit Claims Rules window as below.
Press OK.
Step 13: Now that relying party will be added in the Relying Party Trusts list.
Verifying the Application output
Step 14: Now switch back to our application and run the code. The browser will popup the window for loging into the application with server AD credentials. Once the login credential successful, it wll show the an error page as below.
This error occure as we need to add the below configuration under <system.web> node in the Web.Config file.
If we run the application, it will show the default home page after authentication process completed by connecting ACS endpoint.
Modifying the application to show all the claims
Currently the application show the page with no information. So we will modify the page to show the list of claims which are comming from the ADFS server.
Step 1: Open the Index.cshtml and modify the page as below.
Step 2: Now run the application and login with the credentials. The output of the home page will be as below.
Note: When the ACS configured with Multiple Identity Providers such as Live Id, Google Id, Yahoo Id, Facebook and also with ADFS as we configured before, the application will show list of identity providers to choose while authentication process. When the user selects ADFS Identity Provider (name will be shown as per the user configuration), the application calls ACS and shows the popup window for logging into AD Credentials as shows above.
We required to create Relying Party Trust for the ACS namespace, otherwise AD FS will not know where the request comes from and which URL it respond to.
Step 1: Open the AD FS 2.0 Management window by navigating Start -> Administrative Tasks -> AD FS 2.0 Management menu.
Step 2: Click the Add Relying Party Trust from the Actions panel in the right side.
The server will open the Add Relying Party Trust Wizard.
Step 3: Click Start to navigate to next screen.
Step 4: In the Select Data Source screen, make sure the Import data about the relying party published online or on a local network option selected.
Provide the WS-Federation Federation URL which we got from ACS portal in the Federation metadata address field and press Next.
Step 5: Leave or change any descriptive name for the Relying Party Trust in the Specify Display name screen.
Step 6: Press Next in the Choose Issuance Authorization Rules screen.
Step 7: Review the provided information in the Ready to Add Trust window and press Next.
Step 8: Make sure the Open the Edit Claims Rules for this relying party trust when the wizard closes option selected, and press Close.
The server will open the Edit Claims Rules window.
Step 9: Press Add Rule to add a new rule.
The server will open the Add Transform claim Rule Wizard window.
Step 10: Make sure Send LDAP Attributes as Claims selected and press Next.
Step 11: In the Configure Rule window, enter any descriptive name in the Claim rule name and select Active Directory in the Attribute Store.
Add a row in the Mapping of LDAP attributes to outgoing claim types table as below.
LDAP Attribute: Token-Groups – Unqualified Names
Outgoing Claim Type: Role
Press Finish.
Step 12: Server will add the rule and show the rule in the Edit Claims Rules window as below.
Press OK.
Step 13: Now that relying party will be added in the Relying Party Trusts list.
Verifying the Application output
Step 14: Now switch back to our application and run the code. The browser will popup the window for loging into the application with server AD credentials. Once the login credential successful, it wll show the an error page as below.
This error occure as we need to add the below configuration under <system.web> node in the Web.Config file.
<httpRuntime requestValidationMode="2.0"/>
If we run the application, it will show the default home page after authentication process completed by connecting ACS endpoint.
Modifying the application to show all the claims
Currently the application show the page with no information. So we will modify the page to show the list of claims which are comming from the ADFS server.
Step 1: Open the Index.cshtml and modify the page as below.
@{
Layout = null;
}
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width" />
<title>Index</title>
</head>
<body>
<div>
@if (User.Identity.IsAuthenticated)
{
<ul>
@foreach (string claim in ((Microsoft.IdentityModel.Claims.IClaimsIdentity)this.User.Identity).Claims.Select(c => c.ClaimType + " : " + c.Value))
{
<li>@claim</li>
}
</ul>
}
</div>
</body>
</html>Step 2: Now run the application and login with the credentials. The output of the home page will be as below.
 |
| When logging in with Administrator credential |
 |
| When login with a normal domain user (Ex: thiru@thirutestdc.com) |
Note: When the ACS configured with Multiple Identity Providers such as Live Id, Google Id, Yahoo Id, Facebook and also with ADFS as we configured before, the application will show list of identity providers to choose while authentication process. When the user selects ADFS Identity Provider (name will be shown as per the user configuration), the application calls ACS and shows the popup window for logging into AD Credentials as shows above.
The other links on Configuring ACS for consuming ADFS and using in Web Application:
- Configuring ACS for consuming ADFS and using in Web Application - Part 1
- Configuring ACS for consuming ADFS and using in Web Application - Part 2
- Configuring ACS for consuming ADFS and using in Web Application - Part 3
0 Responses to “Configuring ACS for consuming ADFS and using in Web Application - Part 3”
Post a Comment