asp.net,asp.net-mvc,wcf,forms-authentication,adfs2.0
Most likely the problem is in: string url = "{url of website}";. And/or missing parameters in the POST. It shouldn't be just any URL. It should be a properly formatted WS-Federation request. With timestamps etc. etc. And normally/sometimes (in current ADFS) it is a two step process. First the normal...
c#,asp.net,session,wif,adfs2.0
when you receive a session token, the token you receive from adfs starts expiring. After it has been completely expired it needs to be refreshed. This is a balance between having acurate information from adfs (calling into ad each time you want to know something about the user) and having...
saml,saml-2.0,adfs,adfs2.0,openam
Unlike OpenAM, ADFS doesn't support SAML 2.0 Query Profiles including the AttributeQuery protocol. The available endpoints and profiles are listed here http://technet.microsoft.com/en-us/library/adfs2-help-endpoints(v=ws.10).aspx The WS-Trust standard (supported by ADFS) has a possibility to define which claims (attributes) should be returned as part of the security token. See an example of issuing...
asp.net,single-sign-on,saml,saml-2.0,adfs2.0
I'm answering from SAML and not from ADFS. Regarding question 2, i would expect that you would have received a block of XML called SAML Metadata that describes your customer's IDP. In that metadata, i would expect that you would receive your customer's public key (2.4.1.1 Element KeyDescriptor). I don't...
Based on this link: https://technet.microsoft.com/en-us/library/cc758187%28v=ws.10%29.aspx Claims-aware applications do not require a local user store. All information about a given identity is contained in the token that is presented by the application. The application may store additional information that links to the identity that is presented in the token, but a...
SAML contains a mechanism for forcing IDP to re-authenticate user called forced authentication. You can enable it by setting flag forceAuthn in WebSSOProfileOptions to true. You can find more details on setting this in the Spring SAML manual, chapter 9.2.1.
visual-studio-2013,localhost,asp.net-mvc-5,claims-based-identity,adfs2.0
as mentioned in Vittorio's first response, the seems that the relying party identifier sent by your application does not match what is registered in ADFS. This should not require a new vanilla ADFS setup. I suggest the following: Ensure that you have a Relying Party trust setup in ADFS for...
asp.net-mvc,claims-based-identity,adfs,adfs2.0,claims
The easiest way is to create a multi-valued attribute in AD for each user that contains the list of organizations. Then have a normal AD mapping claim rule. Note that this will not produce a list in one claim, rather multiple claims. Refer: ADFS : Multi-valued attributes from AD. The...
asp.net,google-chrome,internet-explorer,wif,adfs2.0
Sso requires cookies in the browser. Different browser or browser instances don't share cookies. This doesn't work by design.
Actually the URL is https://server/federationmetadata/2007-06/federationmetadata.xml. There are no tools that I an aware of. You can use the Microsoft.IdentityModel.Protocols.WSFederation.Metadata class or refer Generating Federation Metadata Dynamically. Have a look at "Thinktecture.IdentityServer.v2 / src / Libraries / Thinktecture.IdentityServer.Protocols / FederationMetadata" over at Thinktecture.IdentityServer.v2. Or if your application uses WIF it's in...
Ended up baking an additional parameter into the query string via the ADFS webservice. Just edited the global.asax file and added the necessary parameter from there, then told the STS to pick up on this variable.
Digital signing of what - the SAML token, the AuthN request ...? In terms of the token - No - that would break security. In terms, of the AuthN request, yes - it's an option in the AuthN request. However, for this to work you would have to liaise with...
MFA and all the extra claims (and claims engine instances) were new in ADFS on Windows Server 2012R2. It did not exist in earlier versions.
php,saml,adfs2.0,simplesamlphp
Yeah. In a fit of angry and frustration. I set NameIDPolicy to null and everything works. FML 'default-sp' => array( 'saml:SP', 'privatekey' => 'saml.pem', 'certificate' => 'saml.crt', 'idp' => 'http://comain.com/adfs/services/trust', 'NameIDPolicy' => null, ...
c#,.net,asp.net-mvc,asp.net-web-api,adfs2.0
Here's how I've done it in the past. I'm open to constructive criticism if someone has a better idea. First, add the following NuGet package to your WebAPI project: ValidatingIssuerNameRegistry Next, comment out the body of the ConfigureAuth method in /App_Start/Startup.Auth.cs public void ConfigureAuth(IAppBuilder app) { ////app.UseActiveDirectoryFederationServicesBearerAuthentication( //// new ActiveDirectoryFederationServicesBearerAuthenticationOptions...