Wednesday, August 21, 2013

Making a claims-aware website in Visual Studio 2012

My company has been using LDAP authentication for all internal software for the longest time and we're now considering moving to a claims based approach. We've been more inclined lately to do so now that Azure website migration is part of our strategy.

 We have ADFS (2.0 I believe) but we haven't setup an apps to authenticate against it ... until today. 
The googles had a lot of articles on how to setup Secure Token Services (STS) and claims-aware websites but most of the articles and posts were using either VS 2008 or 2010. When I went to use the default VS templates specified, they were nowhere to be found.

Things you'll need:

The address of your ADFS server
An SSL certificate for your web application.  Here are instructions on how to do it if you have IIS 7.
IIS, it must be configured to serve up ASP.Net content (either on a server or your local workstation)


Here are the steps we took to get it working Visual Studio 2012:

1) Download the following C# Webforms project from MSDN.  (This step isn't necessary but it has code in it to list out the claims returned from ADFS already).

2) Setup your website in IIS and link your SSL certificate to it.  Point the base folder location to the WebApplication folder of the project from step 1 (if you chose to download it).  Now would also be a good time to make sure your Windows Firewall has inbound rules to allow port 443.

3) Install the latest version of Windows Identity Foundation SDK via the Web Platform Installer. This will also automatically install the Windows Identity Foundation (WIF) component.



4) In VS, right-click the web application and select "Identity and Access..."

5) Select to use a "business identity provider"

Then for the path to the STS metadata document enter in https://<your_adfs_server_address>/FederationMetadata/2007-06/FederationMetadata.xml
The full path is a convention that STS uses by default.

For the APP ID for your application enter whatever domain address is configured for your application in IIS from step 2.  Make sure it starts with "https".



6) Click the Configuration tab and make sure "Require HTTPS" is checked on.
For APP ID URI and for Audience URI enter the same value you did for your APP ID from the first tab.



7) After you click "Ok" it will make changes to your web.config file and will create a folder named "FederationMetadata" in the root folder of your application with an XML configuration file in it.

8) The "FederationMetdata" folder will not show up in your VS project so you'll want to show all files in the project and right-click it to include it so that it's under source control and will get deployed when you publish or however you deploy.

That's all you have to do for the web application.  The only thing left is to add the web application as a "Relying Party".  I'm kind of glossing over the steps for this part but once you're in the administration program for ADFS, it's fairly straight-forward and intuitive what you need to do.

When it asks for the URL for the relying party's metadata file, put in
https://myapp.dev.com (or whatever your app is).  It will figure out how to get to your Federation Metadata file by using the standard convention.


No comments:

Post a Comment