converting mvc 5 adfs to .net core adfs

Question

I have an existing mvc 5 application that successfully uses on premise active directory federated services

relevant web config settings

 <appSettings>
    <add key="ida:Issuer" value="https://www.fedsvc3copa.beta.pa.gov/adfs/ls/"/>
  </appSettings>

 <authority name="http://www.fedsvc3copa.beta.pa.gov/adfs/services/trust">
          <keys>
            <add thumbprint="xxxxxxxxxxxxxxx"/>
          </keys>
          <validIssuers>
            <add name="http://www.fedsvc3copa.beta.pa.gov/adfs/services/trust"/>
          </validIssuers>
        </authority>

           <federationConfiguration>
      <cookieHandler requireSsl="true"/>

      <wsFederation passiveRedirectEnabled="true" issuer="https://www.fedsvc3copa.beta.pa.gov/adfs/ls/" realm="https://localhost:44363/" requireHttps="true"/>
    </federationConfiguration>

trying to do the same thing for a .net core mvc app. but I'm a bit confused what to put in startup.cs

I am following along with https://learn.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-2.1

so I have

 .AddWsFederation(options =>
      {
        // MetadataAddress represents the Active Directory instance used to authenticate users.
        options.MetadataAddress = "https://www.fedsvc3copa.beta.pa.gov/federationmetadata/2007-06/FederationMetadata.xml";

        // Wtrealm is the app's identifier in the Active Directory instance.
        // For ADFS, use the relying party's identifier, its WS-Federation Passive protocol URL:
        options.Wtrealm = "https://localhost:44363/";

        // For AAD, use the App ID URI from the app registration's Properties blade:
        options.Wtrealm = "???????";
      });

I'm not sure what to put in the AAD realm as I am not using azure. also don't I need the thumbprint and the issuer? http://www.fedsvc3copa.beta.pa.gov/adfs/services/trust

Answer 1

To answer your first question:

If you are not using Azure, you do not need to worry about AAD. In fact you want to make sure that .Wtrealm isn't configured twice. So just remove that second one.

To answer the second question about the Thumbprint and Issuer:

I don't think you need those values, but they are probably good to include seeing as the thumbprint and issuer values are used to validate tokens.

I've tried to replicate all of your original config settings in the code below which belongs in the startup.cs file. The your x.509 cert string value can be retrieved from the xml file at the MetadataAddress url. It will be in between the <X509Certificate> tags.

var rawCertData = Convert.FromBase64String("your x.509 cert string");
X509Certificate2 cert = new X509Certificate2(rawCertData);
SecurityKey signingKey = new X509SecurityKey(cert);
    services.AddAuthentication()
        .AddWsFederation(options => {
            options.MetadataAddress = "https://www.fedsvc3copa.beta.pa.gov/federationmetadata/2007-06/FederationMetadata.xml";
            options.Wtrealm = "https://localhost:44363/";
            options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters {
                ValidateIssuer = true,
                ValidIssuer = "http://www.fedsvc3copa.beta.pa.gov/adfs/services/trust",
                ValidateIssuerSigningKey = true,
                IssuerSigningKey = signingKey
            };
            options.RequireHttpsMetadata = true;
        }).AddCookie(cookieoption => {
            cookieoption.Cookie.SecurePolicy = CookieSecurePolicy.Always;
        });

Note: With this configuration I can get to your adfs login page. However, I can't login in because I don't have permissions; so I don't know what will happen on the POST after you sign in. If you have problems, feel free to let me know.