-2

ADFS is already configured on servers. Different application is using it for Single Sign on. I want to use same aDFS server to implement single sign on in my application. Any checklist please from where I can start?

You need to improve your question with details about the app you want to have SSO for. -- Its Form Authentication ASP.NET web application

What version on AD FS are you using? -- AD FS 2.0 on Windows Server 2008 What OS are the AD FS servers running as it helps confirm functionality. -- Windows Server 2008 What is the app capable of talking (SAML2, WS-Fed, Oauth). ??? How is the app working now for auth (is it windows integrated or something else)? -- Form Authentication What is the application running on (Asp.Net, Java, etc...) -- ASP.NET 4.0 , C# 4.0

user2250161
  • 9
  • 2
  • You need to improve your question with details about the app you want to have SSO for. What version on AD FS are you using? What OS are the AD FS servers running as it helps confirm functionality. What is the app capable of talking (SAML2, WS-Fed, Oauth). How is the app working now for auth (is it windows integrated or something else)? What is the application running on (Asp.Net, Java, etc...) – maweeras Feb 03 '15 at 23:21

2 Answers2

0

Assuming your application can federate with AD FS, then you will need to do something on app side and on AD FS side.

On AD FS you will create a relying party trust. On app side you need to configure it to trust tokens issued by AD FS.

You don't need to create an STS as AD FS is the STS here. Metadata is always published at a URL like https://sts.contoso.com/federationmetadata/2007-06/federationmetadata.xml where the server name (sts.contoso.com) used for the AD FS varies.

Issuer is the identifier string and by default would be http://sts.contoso.com/adfs/services/trust in this case. You can see it in federation service properties within AD FS management console or in get-adfsproperties cmdlet output. You can also change it to another URI if you want.

The logon page is provided if you are doing FBA at AD FS. Else you may get a prompt to do Windows Integrated Auth.

It looks like you need to read a lot about AD FS functionality and usage. I don't think the question/answer is a good way to educate yourself about how to do everything in AD FS.

As you are using AD FS 2.x you should review information at http://social.technet.microsoft.com/wiki/contents/articles/2735.ad-fs-content-map.aspx

See https://msdn.microsoft.com/en-us/library/hh545401(v=vs.110).aspx for details of customising ASP.Net app to use WS-Federation.

http://www.cloudidentity.com/blog/2014/04/29/use-the-owin-security-components-in-asp-net-to-implement-web-sign-on-with-adfs/ is also good to see how to use OWIN with the newer version of AD FS on Windows Server 2012 R2. The instructions are perfectly usable with AD FS 2.x so you might prefer to use OWIN instead of WIF.

maweeras
  • 2,734
  • 2
  • 17
  • 23
  • Thank you for your response. I have updated my question. I am confused with STS, Do I need to create STS application or where will I find FederationMetadata.xml? How to identify issuer? Right now I just know there I need to configure Relying Party Trust with details of my application and claims my application can consume. But I do not have idea where will that login page come from, as I have mentioned earlier our applicaiton will be sharing AD FS with other application. Does it mean we will have same login page? Currently my application is having Form Authentication. Please suggest – user2250161 Feb 05 '15 at 04:06
0

You implement claims based authentication (preferably with ws-fed or ws-trust). At that point you'll have the claims you'll require and can then talk to the ADFS admin to create a trust for your app to rely on authenticated claims for authorization.

Jim B
  • 24,081
  • 4
  • 36
  • 60