Dfyjkt

Question

2 Jan 2019 - Added an extra question below

I'm new to ADFS and is developing a site with a ADFS login, I got a basic ADFS login to work but without Encryption and Signing and I need to add that to the login. Do anyone knows how to implement this?
and what kind og certificate can/should i use and how do i get it?

This is my code so far:

Default.aspx

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
 <title></title>
</head>
<body>
 <form id="form1" runat="server">
 <div>
 <asp:Button runat="server" ID="btnLogout" Text="Log out" OnClick="btnLogout_Click" /><br />
 <asp:Label runat="server" ID="lblInfo"></asp:Label>
 </div>
 </form>
</body>
</html>

Default.aspx.cs

using System;
using System.Threading;
using System.Web;
using System.Web.UI;

public partial class _Default : System.Web.UI.Page

 protected void Page_Load(object sender, EventArgs e)
 
 if (Page.User.Identity.IsAuthenticated)
 
 lblInfo.Text += "<TABLE border="1" Align="Center" CellSpacing="15" CellPadding = "15" >";
 lblInfo.Text += "<TR><TD>";
 lblInfo.Text += "<b>" + "Claim Type" + "</TD><TD>";
 lblInfo.Text += "<b>" + "Claim Value";
 lblInfo.Text += "</B></TD></TR>";

 foreach (var claim in (Thread.CurrentPrincipal.Identity as System.Security.Claims.ClaimsIdentity).Claims)
 
 lblInfo.Text += "<TR><TD>";
 lblInfo.Text += claim.Type + "</TD><TD>";
 lblInfo.Text += claim.Value;
 lblInfo.Text += "</TD></TR>";
 

 lblInfo.Text += "</TABLE>";
 
 

 protected void btnLogout_Click(object sender, EventArgs e)
 
 var ctx = Request.GetOwinContext();
 var authenticationManager = ctx.Authentication;
 authenticationManager.SignOut();

App_Code/RouteConfig.cs

using System.Web.Routing;
using Microsoft.AspNet.FriendlyUrls;

public class RouteConfig

 public static void RegisterRoutes(RouteCollection routes)
 
 var settings = new FriendlyUrlSettings();
 settings.AutoRedirectMode = RedirectMode.Permanent;
 routes.EnableFriendlyUrls(settings);

App_Code/Startup.cs

using Owin;

public partial class Startup

 public void Configuration(IAppBuilder app)
 
 ConfigureAuth(app);

App_Code/StartupAuth.cs

using System.Configuration;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.WsFederation;
using Owin;
using Microsoft.Owin.Extensions;

public partial class Startup

 private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
 private static string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];

 public void ConfigureAuth(IAppBuilder app)
 
 app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

 app.UseCookieAuthentication(new CookieAuthenticationOptions());

 app.UseWsFederationAuthentication(
 new WsFederationAuthenticationOptions
 
 Wtrealm = realm,
 MetadataAddress = adfsMetadata
 );

 app.UseStageMarker(PipelineStage.Authenticate);

Web.config

<?xml version="1.0"?>
<configuration>
 <appSettings>
 <!-- ADFS -->
 <add key="ida:ADFSMetadata" value="https://fs-test.OurServer.me/federationmetadata/2007-06/federationmetadata.xml" />
 <add key="ida:Wtrealm" value="https://MySite" />
 <!-- ADFS -->
 </appSettings>
 <system.web>
 <compilation debug="true" targetFramework="4.5"/>
 <httpRuntime targetFramework="4.5"/>
 <authorization>
 <deny users="?"/>
 <allow users="*"/>
 </authorization>
 <customErrors mode="Off"/>
 </system.web>
 <system.codedom>
 <compilers>
 <compiler language="c#;cs;csharp" extension=".cs"
 type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.7.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
 warningLevel="4" compilerOptions="/langversion:default /nowarn:1659;1699;1701"/>
 <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb"
 type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.7.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
 warningLevel="4" compilerOptions="/langversion:default /nowarn:41008 /define:_MYTYPE=&quot;Web&quot; /optionInfer+"/>
 </compilers>
 </system.codedom>
</configuration>

Update - 2 Jan 2019

Sorry for this late reply
I finally had time to look through all your links, thanks they helped me a lot, but i ran into another problem. I Think i've added Encryption correct but now i'm getting this Error:

ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

D:www_ADFS_SACCK_TEST_Simpel_med_encrypt_signApp_CodeEncryptedSecurityTokenHandlerEx.cs Line: 51

A lot of sites mentions that it's the thumbprint that causing the problem with some hidden characters at the beginning of the thumbprint, so i've typed it in manually but that didn't helped.

Does anybody know what the problem can be?

I changed some of the code so it now looks like this:

StartupAuth.cs

using System.Configuration;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.WsFederation;
using Owin;
using Microsoft.Owin.Extensions;
using System.Collections.ObjectModel;
using System.IdentityModel.Tokens;
using System.Collections.Generic;
using System.Threading;
using Microsoft.IdentityModel.Protocols;
using System.IdentityModel.Selectors;
using System.Security.Cryptography.X509Certificates;
using System;

public partial class Startup

 private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
 private static string _MetadataAddress = ConfigurationManager.AppSettings["ida:ADFSMetadata"];
 private static string _SignInAsAuthenticationType = "cookies";
 private const string SigningCertThumbprint = "d25xxxxxxxxxxxxxxxxxxxxxxxxxxxxf89";
 //private const string Issuer = "LOCAL AUTHORITY";
 private const string Issuer = "CN = testComp adfs";



 public void ConfigureAuth(IAppBuilder app)
 
 app.UseCookieAuthentication(new CookieAuthenticationOptions
 
 AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType
 );

 var audienceRestriction = new AudienceRestriction(AudienceUriMode.Always);
 audienceRestriction.AllowedAudienceUris.Add(new Uri(realm));

 var issuerRegistry = new ConfigurationBasedIssuerNameRegistry();
 issuerRegistry.AddTrustedIssuer(SigningCertThumbprint, Issuer);

 app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions(WsFederationAuthenticationDefaults.AuthenticationType)
 
 Wtrealm = realm,
 MetadataAddress = _MetadataAddress,
 TokenValidationParameters = new TokenValidationParameters
 
 AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType
 ,
 SecurityTokenHandlers = new SecurityTokenHandlerCollection
 
 new EncryptedSecurityTokenHandlerEx(new X509CertificateStoreTokenResolver(StoreName.My, StoreLocation.LocalMachine)),
 new SamlSecurityTokenHandlerEx
 
 CertificateValidator = X509CertificateValidator.None,
 Configuration = new SecurityTokenHandlerConfiguration()
 
 AudienceRestriction = audienceRestriction,
 IssuerNameRegistry = issuerRegistry
 
 
 
 );

 app.UseStageMarker(PipelineStage.Authenticate);

I've also added two more classes:

SamlSecurityTokenHandlerEx.cs

 using System.IdentityModel.Tokens;
 using System.IO;
 using System.Security.Claims;
 using System.Xml;

 public class SamlSecurityTokenHandlerEx : SamlSecurityTokenHandler, ISecurityTokenValidator
 
 public override bool CanReadToken(string securityToken)
 
 return base.CanReadToken(XmlReader.Create(new StringReader(securityToken)));
 

 public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters,
 out SecurityToken validatedToken)
 
 validatedToken = ReadToken(new XmlTextReader(new StringReader(securityToken)), Configuration.ServiceTokenResolver);
 return new ClaimsPrincipal(ValidateToken(validatedToken)); ;
 

 public int MaximumTokenSizeInBytes get; set;

EncryptedSecurityTokenHandlerEx.cs

using System;
using System.Collections.Generic;
using System.IdentityModel.Selectors;
using System.IdentityModel.Tokens;
using System.IO;
using System.Linq;
using System.Security.Claims;
using System.Web;
using System.Xml;

public class EncryptedSecurityTokenHandlerEx : EncryptedSecurityTokenHandler, ISecurityTokenValidator

 public EncryptedSecurityTokenHandlerEx(SecurityTokenResolver securityTokenResolver)
 
 Configuration = new SecurityTokenHandlerConfiguration
 
 ServiceTokenResolver = securityTokenResolver
 ;
 

 public override bool CanReadToken(string securityToken)
 
 return base.CanReadToken(new XmlTextReader(new StringReader(securityToken)));
 

 public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
 
 validatedToken = ReadToken(new XmlTextReader(new StringReader(securityToken)), Configuration.ServiceTokenResolver);
 if (ContainingCollection != null)
 
 return new ClaimsPrincipal(ContainingCollection.ValidateToken(validatedToken));
 
 return new ClaimsPrincipal(base.ValidateToken(validatedToken));


public int MaximumTokenSizeInBytes get; set;

nzpcmadnzpcmad 28.4k2893143 · Accepted Answer · 2018-11-12 18:21:51Z

0

On the ADFS side, you just add the certs to the wizard under the signing and encryption tabs.

On the client, here's a good example.

For testing you can use a self-signed certificate.

Going forward, you need to buy one from e.g. GoDaddy or get a free one from "Let's Encrypt".

Good ADFS development documentation here.

Sample using the OWIN WS-Fed stack.

Or an older sample using WIF.

Note these are for Azure AD but the principles are the same.

answered Nov 12 '18 at 18:21

nzpcmad

28.4k2893143

Hi nzpcmad Thanks,will take a look at the links, hopefully i can get it to work. :)

– tom S
Nov 14 '18 at 7:30

any body know why im getting this error now ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

– tom S
Jan 3 at 7:53

Usually, because the thumbprint from your web.config does match the thumbprint of your token signing certificate. Sometimes you get extra characters when copying from the certificate. So copy form the certificate, paste into Notepad and then copy/paste into the web.config (assuming you are using WIF).

– nzpcmad
Jan 5 at 5:05

To be sure then I checked the thumbprint aginst the ADFS server it is the correct one. I also checked for the hidden characters and removed them, and to be sure then I also tried to type the thumbprint in manuelly which didnt helpend ether.

– tom S
Jan 7 at 9:37

Finally, I have made it work. Your links didn't give me the solution, but it helped me think in alternative ways. I will soon post my solution to others who are in the same situation as me. :)

– tom S
Jan 24 at 8:39

add a comment |

tom Stom S 12 · Accepted Answer · 2019-01-24 08:54:41Z

This is my solution, and this works for me. :)

Default.aspx

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
 <title></title>
</head>
<body>
 <form id="form1" runat="server">
 <div>
 <asp:Button runat="server" ID="btnLogout" Text="Log out" OnClick="btnLogout_Click" /><br />
 <asp:Label runat="server" ID="lblInfo"></asp:Label>
 </div>
 </form>
</body>
</html>

Default.aspx.cs

using System;
using System.Threading;
using System.Web;
using System.Web.UI;

public partial class _Default : System.Web.UI.Page

 protected void Page_Load(object sender, EventArgs e)
 
 if (Page.User.Identity.IsAuthenticated)
 
 lblInfo.Text += "<TABLE border="1" Align="Center" CellSpacing="15" CellPadding = "15" >";
 lblInfo.Text += "<TR><TD>";
 lblInfo.Text += "<b>" + "Claim Type" + "</TD><TD>";
 lblInfo.Text += "<b>" + "Claim Value";
 lblInfo.Text += "</B></TD></TR>";

 foreach (var claim in (Thread.CurrentPrincipal.Identity as System.Security.Claims.ClaimsIdentity).Claims)
 
 lblInfo.Text += "<TR><TD>";
 lblInfo.Text += claim.Type + "</TD><TD>";
 lblInfo.Text += claim.Value;
 lblInfo.Text += "</TD></TR>";
 

 lblInfo.Text += "</TABLE>";
 
 

 protected void btnLogout_Click(object sender, EventArgs e)
 
 var ctx = Request.GetOwinContext();
 var authenticationManager = ctx.Authentication;
 authenticationManager.SignOut();

App_Code/RouteConfig.cs

using System.Web.Routing;
using Microsoft.AspNet.FriendlyUrls;

public class RouteConfig

 public static void RegisterRoutes(RouteCollection routes)
 
 var settings = new FriendlyUrlSettings();
 settings.AutoRedirectMode = RedirectMode.Permanent;
 routes.EnableFriendlyUrls(settings);

App_Code/Startup.cs

using Owin;
using System;
using System.Configuration;
using System.IdentityModel.Metadata;
using System.IdentityModel.Services;
using System.ServiceModel.Security;
using System.Xml;

public partial class Startup

 private static readonly string ConfigAddress = AppDomain.CurrentDomain.BaseDirectory + "\" + "Web.config";

 public void Configuration(IAppBuilder app)
 
 string stsMetadataAddress = ComputeStsMetadataAddress();
 XmlDocument xmlConfig = new XmlDocument();
 XmlReader updatedConfigReader = null;

 using (XmlReader metadataReader = XmlReader.Create(stsMetadataAddress))
 
 using (XmlReader configReader = XmlReader.Create(ConfigAddress))
 
 MetadataSerializer serializer = new MetadataSerializer()
 
 CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust,
 ;

 updatedConfigReader = FederationManagement.UpdateIdentityProviderTrustInfo(metadataReader, configReader, false, serializer);
 
 

 using (updatedConfigReader)
 
 XmlDocument xmlUpdatedConfig = new XmlDocument();
 xmlUpdatedConfig.Load(updatedConfigReader);

 xmlUpdatedConfig.Save(ConfigAddress);
 

 ConfigureAuth(app);
 

 private static string ComputeStsMetadataAddress()
 
 string stsIssuerAddress = FederatedAuthentication.FederationConfiguration.WsFederationConfiguration.Issuer;
 return new UriBuilder(stsIssuerAddress) Path = ConfigurationManager.AppSettings["MetaDataPath"] .Uri.AbsoluteUri;

App_Code/StartupAuth.cs

using System.Configuration;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.WsFederation;
using Owin;
using Microsoft.Owin.Extensions;

public partial class Startup

 private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
 private static string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];

 public void ConfigureAuth(IAppBuilder app)
 
 app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

 app.UseCookieAuthentication(new CookieAuthenticationOptions());

 app.UseWsFederationAuthentication(
 new WsFederationAuthenticationOptions
 
 Wtrealm = realm,
 MetadataAddress = adfsMetadata
 );

 app.UseStageMarker(PipelineStage.Authenticate);

Web.config

<?xml version="1.0"?>
<configuration>
 <configSections>
 <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
 <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
 </configSections>
 <appSettings>
 <add key="UseADFS" value="True"/>
 <add key="ida:ADFSMetadata" value="https://fs.ourserver.com/federationmetadata/2007-06/federationmetadata.xml" />
<add key="ida:Wtrealm" value="https://example" />
<add key="MetaDataPath" value="federationmetadata/2007-06/federationmetadata.xml" />
 </appSettings>
 <system.web>
 <compilation debug="true" targetFramework="4.5">
 <assemblies>
 <add assembly="System.Web.Mvc, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
 <add assembly="System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
 </assemblies>
 </compilation>
 <httpRuntime targetFramework="4.5" />
 <authorization>
 <deny users="?" />
 <allow users="*" />
 </authorization>
 <customErrors mode="Off" />
 </system.web>
 <system.webServer>
 <modules>
 <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
 <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
 </modules>
 </system.webServer>
 <system.identityModel>
 <identityConfiguration>
 <audienceUris>
 <add value="https://example" />
 </audienceUris>
 <certificateValidation certificateValidationMode="PeerOrChainTrust" />
 <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
 <trustedIssuers>
 <add thumbprint="BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX1" name="http://fs.ourserver.com/adfs/services/trust" />
 </trustedIssuers>
 </issuerNameRegistry>
</identityConfiguration>
 </system.identityModel>
 <system.identityModel.services>
<federationConfiguration>
 <wsFederation passiveRedirectEnabled="true" issuer="https://fs.ourserver.com/adfs/ls/" realm="https://example" requireHttps="false" />
 <cookieHandler requireSsl="false" />
 <serviceCertificate>
 <certificateReference x509FindType="FindByThumbprint" findValue="DXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX9" storeLocation="LocalMachine" />
 </serviceCertificate>
</federationConfiguration>
 </system.identityModel.services>
 <system.codedom>
<compilers>
 <compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.7.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:default /nowarn:1659;1699;1701" />
 <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.7.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:default /nowarn:41008 /define:_MYTYPE=&quot;Web&quot; /optionInfer+" />
</compilers>
 </system.codedom>
 <connectionStrings>
 </connectionStrings>
</configuration>

nzpcmadnzpcmad 28.4k2893143 · Accepted Answer · 2018-11-12 18:21:51Z

0

On the ADFS side, you just add the certs to the wizard under the signing and encryption tabs.

On the client, here's a good example.

For testing you can use a self-signed certificate.

Going forward, you need to buy one from e.g. GoDaddy or get a free one from "Let's Encrypt".

Good ADFS development documentation here.

Sample using the OWIN WS-Fed stack.

Or an older sample using WIF.

Note these are for Azure AD but the principles are the same.

answered Nov 12 '18 at 18:21

nzpcmad

28.4k2893143

Hi nzpcmad Thanks,will take a look at the links, hopefully i can get it to work. :)

– tom S
Nov 14 '18 at 7:30

any body know why im getting this error now ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

– tom S
Jan 3 at 7:53

Usually, because the thumbprint from your web.config does match the thumbprint of your token signing certificate. Sometimes you get extra characters when copying from the certificate. So copy form the certificate, paste into Notepad and then copy/paste into the web.config (assuming you are using WIF).

– nzpcmad
Jan 5 at 5:05

To be sure then I checked the thumbprint aginst the ADFS server it is the correct one. I also checked for the hidden characters and removed them, and to be sure then I also tried to type the thumbprint in manuelly which didnt helpend ether.

– tom S
Jan 7 at 9:37

Finally, I have made it work. Your links didn't give me the solution, but it helped me think in alternative ways. I will soon post my solution to others who are in the same situation as me. :)

– tom S
Jan 24 at 8:39

add a comment |

tom Stom S 12 · Accepted Answer · 2019-01-24 08:54:41Z

This is my solution, and this works for me. :)

Default.aspx

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
 <title></title>
</head>
<body>
 <form id="form1" runat="server">
 <div>
 <asp:Button runat="server" ID="btnLogout" Text="Log out" OnClick="btnLogout_Click" /><br />
 <asp:Label runat="server" ID="lblInfo"></asp:Label>
 </div>
 </form>
</body>
</html>

Default.aspx.cs

using System;
using System.Threading;
using System.Web;
using System.Web.UI;

public partial class _Default : System.Web.UI.Page

 protected void Page_Load(object sender, EventArgs e)
 
 if (Page.User.Identity.IsAuthenticated)
 
 lblInfo.Text += "<TABLE border="1" Align="Center" CellSpacing="15" CellPadding = "15" >";
 lblInfo.Text += "<TR><TD>";
 lblInfo.Text += "<b>" + "Claim Type" + "</TD><TD>";
 lblInfo.Text += "<b>" + "Claim Value";
 lblInfo.Text += "</B></TD></TR>";

 foreach (var claim in (Thread.CurrentPrincipal.Identity as System.Security.Claims.ClaimsIdentity).Claims)
 
 lblInfo.Text += "<TR><TD>";
 lblInfo.Text += claim.Type + "</TD><TD>";
 lblInfo.Text += claim.Value;
 lblInfo.Text += "</TD></TR>";
 

 lblInfo.Text += "</TABLE>";
 
 

 protected void btnLogout_Click(object sender, EventArgs e)
 
 var ctx = Request.GetOwinContext();
 var authenticationManager = ctx.Authentication;
 authenticationManager.SignOut();

App_Code/RouteConfig.cs

using System.Web.Routing;
using Microsoft.AspNet.FriendlyUrls;

public class RouteConfig

 public static void RegisterRoutes(RouteCollection routes)
 
 var settings = new FriendlyUrlSettings();
 settings.AutoRedirectMode = RedirectMode.Permanent;
 routes.EnableFriendlyUrls(settings);

App_Code/Startup.cs

using Owin;
using System;
using System.Configuration;
using System.IdentityModel.Metadata;
using System.IdentityModel.Services;
using System.ServiceModel.Security;
using System.Xml;

public partial class Startup

 private static readonly string ConfigAddress = AppDomain.CurrentDomain.BaseDirectory + "\" + "Web.config";

 public void Configuration(IAppBuilder app)
 
 string stsMetadataAddress = ComputeStsMetadataAddress();
 XmlDocument xmlConfig = new XmlDocument();
 XmlReader updatedConfigReader = null;

 using (XmlReader metadataReader = XmlReader.Create(stsMetadataAddress))
 
 using (XmlReader configReader = XmlReader.Create(ConfigAddress))
 
 MetadataSerializer serializer = new MetadataSerializer()
 
 CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust,
 ;

 updatedConfigReader = FederationManagement.UpdateIdentityProviderTrustInfo(metadataReader, configReader, false, serializer);
 
 

 using (updatedConfigReader)
 
 XmlDocument xmlUpdatedConfig = new XmlDocument();
 xmlUpdatedConfig.Load(updatedConfigReader);

 xmlUpdatedConfig.Save(ConfigAddress);
 

 ConfigureAuth(app);
 

 private static string ComputeStsMetadataAddress()
 
 string stsIssuerAddress = FederatedAuthentication.FederationConfiguration.WsFederationConfiguration.Issuer;
 return new UriBuilder(stsIssuerAddress) Path = ConfigurationManager.AppSettings["MetaDataPath"] .Uri.AbsoluteUri;

App_Code/StartupAuth.cs

using System.Configuration;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.WsFederation;
using Owin;
using Microsoft.Owin.Extensions;

public partial class Startup

 private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
 private static string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];

 public void ConfigureAuth(IAppBuilder app)
 
 app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

 app.UseCookieAuthentication(new CookieAuthenticationOptions());

 app.UseWsFederationAuthentication(
 new WsFederationAuthenticationOptions
 
 Wtrealm = realm,
 MetadataAddress = adfsMetadata
 );

 app.UseStageMarker(PipelineStage.Authenticate);

Web.config

<?xml version="1.0"?>
<configuration>
 <configSections>
 <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
 <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
 </configSections>
 <appSettings>
 <add key="UseADFS" value="True"/>
 <add key="ida:ADFSMetadata" value="https://fs.ourserver.com/federationmetadata/2007-06/federationmetadata.xml" />
<add key="ida:Wtrealm" value="https://example" />
<add key="MetaDataPath" value="federationmetadata/2007-06/federationmetadata.xml" />
 </appSettings>
 <system.web>
 <compilation debug="true" targetFramework="4.5">
 <assemblies>
 <add assembly="System.Web.Mvc, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
 <add assembly="System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
 </assemblies>
 </compilation>
 <httpRuntime targetFramework="4.5" />
 <authorization>
 <deny users="?" />
 <allow users="*" />
 </authorization>
 <customErrors mode="Off" />
 </system.web>
 <system.webServer>
 <modules>
 <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
 <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
 </modules>
 </system.webServer>
 <system.identityModel>
 <identityConfiguration>
 <audienceUris>
 <add value="https://example" />
 </audienceUris>
 <certificateValidation certificateValidationMode="PeerOrChainTrust" />
 <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
 <trustedIssuers>
 <add thumbprint="BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX1" name="http://fs.ourserver.com/adfs/services/trust" />
 </trustedIssuers>
 </issuerNameRegistry>
</identityConfiguration>
 </system.identityModel>
 <system.identityModel.services>
<federationConfiguration>
 <wsFederation passiveRedirectEnabled="true" issuer="https://fs.ourserver.com/adfs/ls/" realm="https://example" requireHttps="false" />
 <cookieHandler requireSsl="false" />
 <serviceCertificate>
 <certificateReference x509FindType="FindByThumbprint" findValue="DXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX9" storeLocation="LocalMachine" />
 </serviceCertificate>
</federationConfiguration>
 </system.identityModel.services>
 <system.codedom>
<compilers>
 <compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.7.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:default /nowarn:1659;1699;1701" />
 <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.7.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:default /nowarn:41008 /define:_MYTYPE=&quot;Web&quot; /optionInfer+" />
</compilers>
 </system.codedom>
 <connectionStrings>
 </connectionStrings>
</configuration>

搜尋此網誌

Dfyjkt

Add Encryption and Signing to a ADFS login site

2 Answers
2

Your Answer

Post as a guest

2 Answers
2

2 Answers
2

Post as a guest

Popular posts from this blog

Edmonton

Crossroads (UK TV series)

Add Encryption and Signing to a ADFS login site

2 Answers 2

Your Answer

Sign up or log in

Post as a guest

Post as a guest

2 Answers 2

2 Answers 2

Sign up or log in

Post as a guest

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Popular posts from this blog

Edmonton

Crossroads (UK TV series)

2 Answers
2

2 Answers
2

2 Answers
2