Sunday, 13 January 2013

ASP.NET MVC 4, ADFS 2.0 and 3rd party STS integration (IdentityServer2)


I am currently going through the architectural process of enabling 3rd party claims authentication via both active directory and a custom authentication store.  This is a common requirement for the enterprise where a users primary login is not necessarily active directory.  This complex scenario enables a single user to login via both an application account or the windows account, providing ultimate authentication flexibility.

So, how is this achieved via ADFS 2.0?.. The honest answer is it isn’t.  ADFS does not provide a pluggable model for custom authentication and only supports active directory authentication out of the box.  Custom authentication needs to be provided via the utilisation of a custom Trusted STS and ADFS 2.0.  Producing a reliable STS is no simple feat, the management, security and protocol support required to produce a working token service is a lot of work.  Luckily for us, Dominick Baier (@leastprivilege) has taken all of this pain away via Identity Server 2.0. 

Identity server 2.0 is an Open Source STS providing the ability to “swap out” elements of the architecture and wrap a custom identity store.  Once wrapped, this store can be accessed via the claims protocols (WS-Trust) and provide alternative authentication tokens.  These tokens can be used to sign-in to ADFS and authenticate the user.  With authentication complete, subsequent claims transforms can be applied inside ADFS.  This is a challenging use-case, not one for the feint hearted.

In the first part of this 2 part series I will configure ADFS 2.0 and Setup the relying party trust to an ASP.NET MVC application.  In the 2nd part in the series I will install identity server v2 and modify the ADFS forms process to delegate access to the identity server provider via WS-Trust.


To get started you will need a Windows 2012 domain server, Windows 8 (IIS configured with a self-signed cert) and Visual Studio 2012 along with Identity Server 2.0.  Knowledge of ASP.NET MVC 4.0 and Windows Identity Foundation is a bonus.

Identity Server can be downloaded from here.

  • On the Windows 2012 Server, Add the ADFS 2.0 role and configure a self-signed IIS certificate with the correct bindings.  This is explained exceptionally on the sysadminblog. Installing ADFS 2.0
  • Once installed, install and configure identity server as described in the video at
  • .NET 4.5 and Windows 8 ship with WIF.
  • Visual Studio 2012 ships with ASP.NET MVC 4.0, to make life easy to you enable the “Identity and Access Tool” from Tools, Extensions and Updates extension manager.  This provides an application level menu to configure your .NET application against the new federation service.

Configuring ADFS 2.0 for Forms Authentication

ADFS 2.0 by default is configured to hook directly into your existing active directory via integrated security through the browser.  To utilise the ability to login to the 3rd party STS (IdentityServer) you need to change the default configuration to Forms (more on this in part 2).  This is achieved by modifying the ADFS web.config (Found at c:\inetpub\adfs\ls\web.config) authentication preference (as below).  You can also achieve this directly by embedding the authentication type into authenticating applications url via the wauth parameter.  I.E: https://windows2012/adfs/ls?wauth=Forms

<add name="Forms" page="FormsSignIn.aspx" />
<add name="Integrated" page="auth/integrated/" />
<add name="TlsClient" page="auth/sslclient/" />
<add name="Basic" page="auth/basic/" />
<commonDomainCookie writer="" reader="" />
<context hidden="true" />
<error page="Error.aspx" />
<acceptedFederationProtocols saml="true" wsFederation="true" />
<homeRealmDiscovery page="HomeRealmDiscovery.aspx" />
<persistIdentityProviderInformation enabled="true" lifetimeInDays="30" />
<singleSignOn enabled="true" />

Take note of the FormsSignIn.aspx page, this one of very few customisation points in ADFS 2.0.  We will be using this later to redirect our credentials to our 3rd party STS.


With ADFS configured, take note of the metadata address from the ADFS management console.  This is found under the service, endpoints folder, for the purposes of this post we will use the Federation Metadata endpoint.  As you can’t copy this from the MMC, here is the endpoint suffix:






Creating the ASP.NET MVC 4.0 Application

In order to test the demonstration we will need a sample harness.  An easy option to demonstrate this process is to create our own claims enabled application.  To create this application launch visual studio (as an Administrator) and create a new blank basic ASP.NET MVC 4 application.  Add this application to IIS, this makes the process easier. 

Please ensure you have added the “Identity and Access Tool” from Tools, Extensions and Updates extension manager.


In the project options ensure your application is using IIS.  This process does work under IIS Express, this is my personal preference as configuring certificates is easier inside IIS.


Once loaded, right click on the project and select the Identity and Access option.

imageOnce clicked, you will need the metadata URL from above, everything else will be configured automatically based on your application URL.  You may desire to change the application realm (configuration tab), this can be done after metadata configuration.

imageOnce complete your web.config will be modified.  The modifications provide the details of the identity provider and changes the application authentication settings and paths to allow for claims authentication.  This is a fairly self-explanatory configuration consisting of the audience (your application root URL), The public certificate thumbnail of the issuing identity provider, and the redirection address to the identity provider for authentication (issuer).  Realm is the relying party (service-provider) key (name) given to the identity provider to identify your application.

<add value="http://localhost/Claims.Test/" />
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<add thumbprint="THUMBNAIL OF CERT" name="http://IdServ/adfs/services/trust" />
<cookieHandler requireSsl="false" />
<wsFederation passiveRedirectEnabled="true" issuer="https://IdServ/adfs/ls/" realm="http://localhost/Claims.Test/" requireHttps="false" />

The identity and access tool also adds the following settings to your application settings section.

    <add key="ida:FederationMetadataLocation" value="https://idserv/FederationMetadata/2007-06/FederationMetadata.xml" />
<add key="ida:Issuer" value="https://Idserv/adfs/ls/" />
<add key="ida:ProviderSelection" value="productionSTS" />

With the above complete, when you run the application you should be presented with the default ADFS login authentication homepage as below.  At this point the login process will fail as you have not configured the “relying party trust” in ADFS 2.0.  ADFS does not know whether the user has access to the relying application.  As articulated in my previous post, relying party is a MS linguistic, service-provider is more environment agnostic.image

imageNow your application is configured you need to configure the relying party trust in ADFS 2.0.  On your ADFS server, browse to the ADFS 2.0 MMC and select Relying Party Trusts, Add Relying Party Trust.  This will launch the relying party configuration wizard.


Screen 1, enter data manually


Screen 2, Give your application a meaning full name and description.  image

Screen 3, Select ADFS profile image Screen 4, Click next.  This screen is used to configure the public key provided by your application to encrypt the token send from the identity provider.  For the purposes of this post we will not be encrypting tokens.

imageScreen 5, provide the endpoint URL for your relying application.  This is the home URL as WIF utilises the ASP.NET authentication module architecture to intercept and validate tokens.  For this demo I am working from a host called Windows 8.

imageScreen 6, add the trust identifier (this is the realm as configured above).  The realm is send in the federation url to determine the relying party configuration to utilise at the IDP.

 imageScreen 7, configure the users to access the relying party (service-provider).  Permit all users initially, this can be changed by utilising authorisation rules in ADFS.

imageScreen 8, Verify your settings and save the Trust, ensuring you open the claim Edit claim rules dialog.

You will now be able to login to your application, although at this point no claims have been configured so it is rather useless.  The next dialog provides you the ability to configure and forward claims to the relying application. Without any claims your application will see no authentication properties.  Below I configure the Name claim to be sent to the ASP.NET application, this is then presented in the ASP.NET Thread.CurrentPrincipal.Name property.


Add Rule (Opens Rule Template Wizard)


Pass Through or Filter Claim Selection.


Call the rule “Send Name” and select the Name claim type.  Click Finish

With this now configured your application will be able to login and you should be able to obtain the claim name presented within ASP.NET.  If you used the blank ASP.NET MVC 4 template, add a new home controller and copy the code below into the Home View.

ViewBag.Title = "Index";




Once launched and logged in, you have completed the ADFS 2.0 application configuration process.  Well Done!



Part 2, takes this to another level by modifying the ADFS 2.0 FormsSignIn.aspx to delegate authentication to Dominick Baiers (@leastprivilege) Identity Server v2, enabling custom credential stores.


  1. Hi Gary, thanks for this post. I'm currently solving the similar problem: Sharepoint is my Service Provider. Sharepoint communicates with the ADFS 2.0. and ADFS 2.0 communicates with third party Idendity Provider. As I'm newbie in ADFS currently I'm trying figure out how to delegate the request from Sharepoint to IdP through ADFS. Probably it is what you will write in your next post. May I ask you when do you plane to post the second part of this article? Could you outline the concept of this delegation as I need to finish this integration within this week? thanks in advance.

  2. Thanks for the awesome write up. Combined with
    Dominick Baier's Identity Server videos, ADFS makes more sense to me. Waiting eagerly for the second part of this article. Keep up the good work!

  3. Hi,

    I'm also eagerly awaiting part 2 of your article as well. Thanks for an awesome part 1.

  4. Hi Gary, its great post and very helpful , i wish if post another article for windows server 2012 adfs 2.1, on premise server

  5. Hi Gary,

    I've successfully integrated ADFS 2.1 with Thinktecture 2.0. Would you happen to have any intentions or experience with the integration of Thinktecture 2.0 and ADFS 3.0 (2012 R2)

  6. Hi Gary, we now are using Id Server with SharePoint On Prem, which works fine. We are considering going to Office 365. Main goal is that we can share document with extrenal users easily as well and having them to use the credentials that are stored in the Identity Database. Do you know if that's possible?

  7. Hi, now I am very clear on the ADFS its very help full, but how can we handled both ADFS and customer authentication if user not in AD server. Can you provide anything so it would be help us.


  8. Many of the lessons in Rich by Forty: A Young Couples' Guide to Building Trey Songz Net Worth are relevant to anyone planning ahead for their future. This most certainly includes entrepreneurs and small businesspeople. If your personal finances are not in order it will be very difficult to start a business.

  9. Very nice post here and thanks for it .I always like and such a super contents of these post.Excellent and very cool idea and great content of different kinds of the valuable information's.
    Microsoft azure training in Bangalore
    Power bi-training in Chennai

  10. Your very own commitment to getting the message throughout came to be rather powerful and have consistently enabled employees just like me to arrive at their desired goals.
    Best Devops training in sholinganallur
    Devops training in velachery
    Devops training in annanagar
    Devops training in tambaram

  11. Good Post, I am a big believer in posting comments on sites to let the blog writers know that they ve added something advantageous to the world wide web.
    Selenium training in Chennai
    Selenium training in Bangalore
    Selenium training in Pune
    Selenium Online training

  12. I was recommended this web site by means of my cousin.
    I am now not certain whether this post is written through him as nobody else recognise such precise about my difficulty. You're amazing! Thank you!

    Selenium training in bangalore
    Selenium training in Chennai
    Selenium training in Bangalore
    Selenium training in Pune
    Selenium Online training

  13. I prefer to study this kind of material. Nicely written information in this post, the quality of content is fine and the conclusion is lovely. Things are very open and intensely clear explanation of issues

    Python Online certification training
    python Training institute in Chennai
    Python training institute in Bangalore

  14. Whoa! I’m enjoying the template/theme of this website. It’s simple, yet effective. A lot of times it’s very hard to get that “perfect balance” between superb usability and visual appeal. I must say you’ve done a very good job with this.
    python training in rajajinagar
    Python training in bangalore
    Python Online training in usa

  15. You are doing a great job. I would like to appreciate your work for good accuracy
    Selenium Training Institute in Chennai | Selenium Testing Training in chennai

  16. Thanks for your valuable post... The data which you have shared is more informative for us...
    Selenium Training in Chennai | SeleniumTraining Institute in Chennai

  17. This comment has been removed by the author.

  18. Thanks for provide great informatic and looking beautiful blog, really nice required information & the things i never imagined and i would request, wright more blog and blog post like that for us. Thanks you once agianMarriage certificate in delhi
    Marriage certificate in ghaziabad
    Marriage registration in gurgaon
    Marriage registration in noida
    special marriage act
    Marriage certificate online
    Marriage certificate in mumbai
    Marriage certificate in faridabad
    Marriage certificate in bangalore
    Marriage certificate in hyderabad thanks once again to all.

  19. AWS training in bangalore, one of the best!!
    Visit: AWS training in bangalore