4

I have an existing mvc 5 application that successfully uses on premise active directory federated services

relevant web config settings

 <appSettings>
    <add key="ida:Issuer" value="https://www.fedsvc3copa.beta.pa.gov/adfs/ls/"/>
  </appSettings>

 <authority name="http://www.fedsvc3copa.beta.pa.gov/adfs/services/trust">
          <keys>
            <add thumbprint="xxxxxxxxxxxxxxx"/>
          </keys>
          <validIssuers>
            <add name="http://www.fedsvc3copa.beta.pa.gov/adfs/services/trust"/>
          </validIssuers>
        </authority>

           <federationConfiguration>
      <cookieHandler requireSsl="true"/>

      <wsFederation passiveRedirectEnabled="true" issuer="https://www.fedsvc3copa.beta.pa.gov/adfs/ls/" realm="https://localhost:44363/" requireHttps="true"/>
    </federationConfiguration>

trying to do the same thing for a .net core mvc app. but I'm a bit confused what to put in startup.cs

I am following along with https://learn.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-2.1

so I have

 .AddWsFederation(options =>
      {
        // MetadataAddress represents the Active Directory instance used to authenticate users.
        options.MetadataAddress = "https://www.fedsvc3copa.beta.pa.gov/federationmetadata/2007-06/FederationMetadata.xml";

        // Wtrealm is the app's identifier in the Active Directory instance.
        // For ADFS, use the relying party's identifier, its WS-Federation Passive protocol URL:
        options.Wtrealm = "https://localhost:44363/";

        // For AAD, use the App ID URI from the app registration's Properties blade:
        options.Wtrealm = "???????";
      });

I'm not sure what to put in the AAD realm as I am not using azure. also don't I need the thumbprint and the issuer? http://www.fedsvc3copa.beta.pa.gov/adfs/services/trust

Improve this question
2
  • You don't need anything in that last property, the one you filled with ???. The documentation shows two different ways, notice that the property name is the same as the one above it. The first .Wtrealm example is for ADFS, the second is for AAD. Just remove the second one. I'm not familiar with this specific Active Directory setup, just noticed that from the docs. Commented May 6, 2019 at 15:50
  • yeah I tried that and it takes me to the orgs sign in page but I get the errror An error occurred An error occurred. Contact your administrator for more information. Error details Activity ID: c2667d30-335f-4da5-6b0a-0080010000e4 Error time: Mon, 06 May 2019 17:32:05 GMT Cookie: enabled User agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36 Commented May 6, 2019 at 17:33

1 Answer 1

Reset to default
5
+200

To answer your first question:

If you are not using Azure, you do not need to worry about AAD. In fact you want to make sure that .Wtrealm isn't configured twice. So just remove that second one.

To answer the second question about the Thumbprint and Issuer:

I don't think you need those values, but they are probably good to include seeing as the thumbprint and issuer values are used to validate tokens.

I've tried to replicate all of your original config settings in the code below which belongs in the startup.cs file. The your x.509 cert string value can be retrieved from the xml file at the MetadataAddress url. It will be in between the <X509Certificate> tags.

var rawCertData = Convert.FromBase64String("your x.509 cert string");
X509Certificate2 cert = new X509Certificate2(rawCertData);
SecurityKey signingKey = new X509SecurityKey(cert);
    services.AddAuthentication()
        .AddWsFederation(options => {
            options.MetadataAddress = "https://www.fedsvc3copa.beta.pa.gov/federationmetadata/2007-06/FederationMetadata.xml";
            options.Wtrealm = "https://localhost:44363/";
            options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters {
                ValidateIssuer = true,
                ValidIssuer = "http://www.fedsvc3copa.beta.pa.gov/adfs/services/trust",
                ValidateIssuerSigningKey = true,
                IssuerSigningKey = signingKey
            };
            options.RequireHttpsMetadata = true;
        }).AddCookie(cookieoption => {
            cookieoption.Cookie.SecurePolicy = CookieSecurePolicy.Always;
        });

Note: With this configuration I can get to your adfs login page. However, I can't login in because I don't have permissions; so I don't know what will happen on the POST after you sign in. If you have problems, feel free to let me know.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.