SILK SPUN

This article contains a a quick walk through of creating a Claims aware application and registering this as a Relying Party in ADFS 2.0. 

The ClaimsApp application used within this scenario is the default site created in Visual Studio when selecting File –> New –> Web Site –> ‘Claims-aware ASP.NET Web Site’.

For convenience, this deployment can be made on the same server running ADFS.  In a real world  scenario the deployment can be on any IIS Server.

Setup ClaimsApp Application in IIS

1. Download the ‘ClaimsApp’ Web Site from here.  (if you have Visual Studio 2008 or higher installed with the require WIF add-ons then you can choose to also create your own ClaimsApp Web Site (File –> New –> Web Site –> ‘Claims-aware ASP.NET Web Site’)
2. Copy the ‘ClaimsApp’ Web Site to a directory on an IIS (in this case ADFS) Server.  For example, copy the contents to path C:\TestApps\ClaimsApp
3. Configure a new Application in IIS under the Default Web Site node

   

   

4. Test the Application by opening the Site in a browser, for example, on an ADFS Server, both http: and https: bindings should work:

   http://your-adfs-server/claimsapp
   https://your-adfs-server/claimsapp

   Note: depending on the Target Framework installed on the ADFS Server, the compilation of the site may fail.  This can be resolved by removing the targetFramework attribute from the web.config

   <compilation debug="true" targetFramework="4.0">

5. The application should load and the following screens should appear

   

   

Application Configuration

Configure the application to request SAML tokens from the ADFS server.

1. Download and install the Windows Identity Foundation SDK  (select the framework version you have installed – I chose 3.5)
2. Once the installation is complete, run FedUtil.exe (by default this is located in C:\Program Files (x86)\Windows Identity Foundation SDK\v3.5 (or v4.0 respectively)
3. Open the Web.Config from the ClaimsApp application that was configured in IIS.  Specify the Application URI (this will be used as the Identifier later in the process when configuring ADFS).

   

4. Specify an STS (Security Token Service).  Since ADFS is an STS, we can specify this here.

   

5. When prompted for Encryption, specify none for now.

   

6. Set the Offered claims.  Leave as default.  This can be changed in the Web.Config later
   if so desired.

   

7. When prompted to schedule updates to Federation Metadata, leave the check box deselected and click Finish.  The following message will appear at the end.

    

8. Now try to access the application again over https https://your-adfs-server.mydomain.local/claimsapp.  This time you will see a redirect of the browser to the ADFS Server with a Url similar to this:

   https://your-adfs-server.mydomain.local/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=https%3a%2f%2fyour-adfs-server.mydomain..local%2fClaimsApp&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fClaimsApp&wct=2012-02-21T12%3a53%3a36Z

   The process will fail since ADFS still needs to be configured with this Relying Party which is covered in the next section.

   The AD FS 2.0 event log will contain two errors Event ID 184 and 364 indicating this:

   A token request was received for a relying party identified by the key ‘https://your-adfs-server.mydomain.local/ClaimsApp’, but the request could not be fulfilled because the key does not identify any known relying party trust.
   Key: https://your-adfs-server.mydomain.local/ClaimsApp

   This request failed.

   User Action
   If this key represents a URI for which a token should be issued, verify that its prefix matches the relying party trust that is configured in the AD FS configuration database.

ADFS Relying Party Configuration

Now the configuration is complete on the application side, we can add the Relying Party trust for the ClaimsApp.

1. Open the AD FS 2.0 Management Console
2. Right-click Relying Party Trusts and click on Add Relying Party Trust..,

   

3. Select Import data about the relying party from a file

   

   Browse to the ClaimApp\FederationMetaData directory as shown.

4. Specify a Display Name called ClaimsApp (this is only used internally in ADFS). 

   

5. Permit all users access to the relying party

   

6. Click Next on the Ready to Add Trust screen.

   

7. Leave the checkbox enabled ‘Open the Edit Claims Rules for this relying party trust when the wizard closes’

   

8. Click Add Rule

   

9. Specify a Pass through Claim for the Windows account name.

   

10. Configure to Pass through the Windows account name claim type.  (This claim is already added to the Claims Pipeline as part of the Acceptance Claims on the Active Directory Claims Trust Provider).

    

11. Configure to send some LDAP Attributes as Claims

    

    
    Click OK a couple of times, and we are done configuring the ClaimsApp Relying Party.

Testing

Try to access the application again over https https://your-adfs-server.mydomain.local/claimsapp.  You will briefly see a redirect to the ADFS Server, followed by a page displaying the current claims that were previously configured on the Relying Party:

Now we have a simple claims test application that utilizes WIF / ADFS which can be used to test a few different scenarios.

Related Downloads

ClaimsApp Project