Connecting ADFS and the identityserver 4 SAML2P Identity Provider

Rory Braybrook

Published in

Tech Feed

3 min readNov 15, 2017

First have a read of the previous article.

This describes the setup. It’s important that https is implemented because ADFS will not allow http connections.

The client in Config.cs:

{
 ClientId = “http://your-adfs/adfs/services/trust",
 ClientName = “ADFS Test Client”,
 ProtocolType = IdentityServerConstants.ProtocolTypes.Saml2p,
 RedirectUris = { “http://your-adfs/adfs/services/trust" },
 AllowedScopes = { “openid”, “profile” }
 };

The SP in Config.cs:

{
 EntityId = “http://your-adfs/adfs/services/trust",
 SigningCertificates = {new X509Certificate2(“adfssigning.cer”)},
 AssertionConsumerServices =
 {
 new Service(SamlConstants.BindingTypes.HttpPost, “https://your-adfs/adfs/ls/”)
 }
 };

You need to get the signing certificate from ADFS. You can get this from the metadata:

https://your-adfs/federationmetadata/2007-06/federationmetadata.xml

or if you are not familiar with certificates, you can get it from the ADFS wizard.

Note that if ADFS is set for certificate rollover, this certificate is not stored in the Windows certificate store so you cannot use “mmc”.

In the ADFS wizard under “Certificates”:

Then click “Copy to File”.

Save to a “cer” file format.

Save the file as “adfssigning.cer” (the name in the code above).

You need to add this to your VS solution.

The identityserver SAML metadata is at:

https://localhost:44326/saml/metadata

Download the XML file and save it.

We want to use identityserver as the source of authentication so we need to add a Claims Provider (CP) trust to ADFS.

Browse to the file you saved and click “Next”.

Then give the CP a name (I used RSK) and then “Next” out.

The RSK CP will now display in the CP list.

Double-click “RSK” to see the properties.

In the “Advanced” tab, set “SHA1”.

The claims are coming from identityserver so we need to pass-through the claims through the ADFS CP and the ADFS Relying Party (RP) (your test application as below).

To do this, we need a pass-through rule:

By default, the SAML connection includes NameID, Given Name and Surname so we need three pass-through rules.

This is for the NameID. The other two are similar and can be selected from the claim type drop-down.

Just to repeat. You need three pass-through rules on the CP and the same three on the RP.

To test this, we need an application (the RP) that connects up with ADFS (via “Add Relying Party Trust”). If you have ADFS 4.0 (Server 2016) you could use OpenID Connect or for earlier versions, you could use WIF.

Run the application. This will bring up the ADFS Home Realm Discovery screen.