0

I'm trying to work with idsrv3 recieving tokens issued by an ADFS external company, so idsrv3 works as a service provider and the ADFS as identity provider. I'm using the Ws-Fed(pasive) protocol so the company already added our endpoint and the claims that should issue with the token.

I did a login request over the URL https://adfsapp.companydomain.com/adfs/ls/idpinitiatedsignon.aspx and after introducing the credentials it authenticates the user and it redirects to the idsrv3 endpoint with a SAMLResponse.

Following the idsrv3 documentation I configured the identity provider in the app. ( https://identityserver.github.io/Documentation/docsv2/configuration/identityProviders.html )

 private static void AddExternalProvider(IAppBuilder app, string signInAsType, AdfsWsFederationExternalProvider provider)
    {
        var metadataAddress = ""https://adfs.leastprivilege.vm/federationmetadata/2007-06/federationmetadata.xml";
        var manager =
            new SyncConfigurationManager(new ConfigurationManager<WsFederationConfiguration>(metadataAddress));
        var providerId = provider.ExternalProviderId;

        var options = new WsFederationAuthenticationOptions
        {
            AuthenticationType = providerId,
            Caption = provider.ExternalProviderName,          
            SignInAsAuthenticationType = signInAsType, 
            CallbackPath = new PathString("/" + providerId),
            ConfigurationManager = manager,
            Wtrealm = provider.Wtrealm,

        };
        app.UseWsFederationAuthentication(options);
    }

But the token isn't validated so I have the following questions:

1- Should I declare a token handler to treat the tokens issued by the company STS?

2- The callback path "/providerId" will handle automatically the tokens ?

3- How to know if the endpoint ("/providerId") is waiting for incoming tokens ?

Thanks for your help.

markalex
  • 8,623
  • 2
  • 7
  • 32
user3612445
  • 145
  • 2
  • 16

1 Answers1

0

You are using WS-Federation as the protocol but are then trying IDPInitiated which is only applicable to the SAML-P protocol.

idsrv3 does not handle the SAML protocol by default.

What happens when you start from the application and then end up on ADFS?

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • Thanks for your answer, when I try to acces to the app ( RP ) then it redirects to the ADFS form in order to fill the credentials. ( There is a problem at this point because once the credentials are filled and submited the ADFS returns a generic error so temporarily I'm using the https://adfsapp.companydomain.com/adfs/ls/idpinitiatedsignon.aspx directly to check the response). I'm waiting to check the out going request(authentication) with the client to fix that but meanwhile I'm using the idpinitiatedsignon.aspx, this is mistake ? – user3612445 Dec 06 '17 at 10:52