Pages

Tuesday, January 8, 2013

Claims Based Authentication - Setting up Visual Studio 2012 on Localhost to use ADFS

So currently I'm  learning Windows Identity Foundation to do Claims Based Authentication. I'm working an a few posts on the subject and i'll be posting them soon. For now this one focuses on the my need to configure my Visual Studio environment to use my domain ADFS server as a STS. Now I know i can setup a local STS project for testing but I wanted to use our domain ADFS so that everything as close as possible to production configuration as I could for testing.

Turns out this isn’t hard to do but a few configuration steps that are easy to miss. Since I didn't find any guides or posts on how to do this I figured I’d share mine.

Overview

The end result will be a ADFS relaying service provider that will expect inbound connection from https://localhost and a Visual studio configuration set to use IIS, rather than IIS express, hosting the VS Project. What's really interesting is that since i configured this to use https://localhost any developer can use the the same relaying party for their testing rather than creating a Replaying Party Entry in ADFS for every developer machine. Also because the links will only work from the localhost you don’t need to worry about them deploying projects using that Replying Party entry because it won’t work.

Solution

There are two sides of this setup. First I’ll cover the settings I configured on the ADFS with a relaying relaying party and this those of the client machine running Visual studio.

ADFS Configuration

From the ADFS server navigate to the Relying Party Trusts and add a new Relaying Party Trust. We need to supply a FederationMetadata.xml file. I modified this one for our use. Create a text file and copy the contents to it and save it as “Localhost_FederationMetadata.xml”

Localhost_FederationMetadata.xml

<?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor ID="_3d1176b1-236d-4675-8970-674b061daf17" 
                entityID="https://localhost/"
                xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <RoleDescriptor xsi:type="fed:ApplicationServiceType" 
                xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706"
                protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <fed:TargetScopes><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
            <wsa:Address>https://localhost/</wsa:Address></wsa:EndpointReference>
        </fed:TargetScopes>
        <fed:PassiveRequestorEndpoint>
            <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
                <wsa:Address>https://localhost/</wsa:Address>
            </wsa:EndpointReference>
        </fed:PassiveRequestorEndpoint>
    </RoleDescriptor>
</EntityDescriptor>

With the file created Choose “Import data about the relying party from a file”.

clip_image002


Read more »
at Tuesday, January 08, 2013 5 comments
Labels: , , , , ,
Subscribe to: Posts (Atom)