1

I am using the Thinktecture.IdentityModel 4.0 samples for WebApiSecurity. I've modified the AdfsSamlClient to use our ADFS Server. I am able to get a SAML token from out ADFS Server using

        var channel = factory.CreateChannel();
        var token = channel.Issue(rst) as GenericXmlSecurityToken;

Then I try to make the service call

        var client = new HttpClient { BaseAddress = _baseAddress };
        client.DefaultRequestHeaders.Authorization = 
            new AuthenticationHeaderValue("AdfsSaml", saml);

        var response = client.GetAsync("identity").Result;

And get a 401 - Not Authorized call.

I am not sure how to debug this. I have tracing for Microsoft.IdentityModel, but it is only information level trace, no errors or warnings, and nothing I am able to use to debug.

The interesting part of the service trace:

1.
Description OnEndRequest is redirection to IdentityProvider '/WebHost/api/identity'

2.
Description CreateSignInRequest
BaseUri     https://[ADFS...]/adfs/ls/
wa          wsignin1.0
wtrealm     https://[WorkStation...]/WebHost/
wctx        rm=0&id=passive&ru=%2fWebHost%2fapi%2fidentity

3.
Description Redirecting to IdentityProvider: 'https://[ADFS...]/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2f[WorkStation...]%2fWebHost%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fWebHost%252fapi%252fidentity&wct=2013-09-30T17%3a35%3a04Z'

Thanks for any insight.

Tim B
  • 2,340
  • 15
  • 21
beezler
  • 646
  • 6
  • 18

1 Answers1

0

Main thing that springs to mind is to make sure the server knows how to handle the "AdfsSaml" scheme that you're using, so you'll want to make sure that your mapping is correct to your token handler.

One thing I tried was to create my own token handler, and mapped that as the token handler for the header. If you want, you can start with Thinktecture's own HttpSamlSecurityTokenHandler, and debug your way through that. Obviously, if it never hits it, then you've got a mapping issue somewhere.

I also found that if an exception was thrown in the ClaimsAuthenticationManager, it would report as unauthorized - even though the exception being thrown was something completely unrelated (in my case, an InvalidCastException). That stumped me for a while, because I hadn't realise that authentication had gotten so far down the pipeline and that validation of the token had actually been successful - I was just checking the HTTP response, which kept saying unauthorised - so make sure you're not being misled by anything trivial like that.

dark_perfect
  • 1,458
  • 1
  • 23
  • 41