How to add multiple endpoints to adfs

Question

I have a lot of web applications on the same web server (II7): let's say mydomain/app1, mydomain/app2, ... and so on. I'm trying to add an ADFS authentication through OWIN. Here's what I've done:

[assembly: OwinStartup(typeof(MyNamespace.Startup))]
namespace MyNamespace
{
public class Startup
{
    private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
    private static string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];

    public void Configuration(IAppBuilder app)
    {
        ConfigureAuth(app);

        app.Use((context, next) =>
        {
            SignIn(context);
            return next.Invoke();
        });
        app.UseStageMarker(PipelineStage.Authenticate);
    }

    public void ConfigureAuth(IAppBuilder app)
    {  
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions());

        app.UseWsFederationAuthentication(
            new WsFederationAuthenticationOptions
            {
                Wtrealm = realm,
                MetadataAddress = adfsMetadata
            });
    }

    public void SignIn(IOwinContext context)
    {
        if (context.Authentication.User == null)
        {
            context.Authentication.Challenge(
                WsFederationAuthenticationDefaults.AuthenticationType);
        }
    }
}
}

When a user access mydomain/app1, I want him to be authenticated through ADFS and then redirected to mydomain/app1. And same thing for a user accessing mydomain/app2.

But I wish to add only one relying party trust in ADFS (because there's a lot of applications and all are using same claim rules).

I've tried different configurations, but I can't do what I want:

• if the RP endpoint is mydomain/app1/, authentication is ok but all requests (even from mydomain/app2 are redirected to app1), obviously

• if the RP endpoint is only mydomain/, I get a 405.0 http error - Method Not Allowed after redirection (I take care of the trailing slash).

For information, I saw this question on stackoverflow: URL redirection from ADFS server

But it doesn't really answer my problem because I don't understand sentence "(...) WIF will process the response at URL_1, and then take care of redirecting the user to URL_2" in Andrew Lavers's comment.

How can I add multiple endpoints to one RP trust ? Or how can I redirect users to the original URL ? (considering all applications are on the same domain).

Thanks in advance for any help.

Answer 1

You should be able to set the wreply parameter based on the application that triggers the authentication flow. Something like this:

app.UseWsFederationAuthentication(
    new WsFederationAuthenticationOptions
    {
        Wtrealm = realm,
        MetadataAddress = adfsMetadata,
        Notifications = new WsFederationAuthenticationNotifications
        {
            RedirectToIdentityProvider = context =>
            {
                context.ProtocolMessage.Wreply = <construct reply URL from context.Request>;
                return Task.FromResult(0);
            }
        }
    });

Answer 2

The issue here is that even by doing this the ADFS server does not need to comply with the given Wreply parameter. By default behaviour ADFS always re-directs to the Wtrealm after successful login.

In our case we wanted to authenticate via ADFS with 2 test servers, 1 production server and enable the login also for developers (localhost). Because of the re-direction issue each of the servers need their own Relying party trust .

The ideal solution here would be that RP trust is created separately for each server running the application and also for https://localhost:44300 (Visual Studio default SSL port) so that developers can also authenticate. For allowing https://localhost:44300 there is probably some security conserns to the preferred option would be to set up development ADFS for example on Azure VM.