Rory Braybrook
Dec 10, 2018 · 3 min read

Have a read of the similar post I did with ADFS 4.0. There’s lots of background there.

For this post, Auth0 needs to be the RP i.e. idsrv4 needs to be CP.

The flow is then:

WS-Fed RP Client → Auth0 → (via RSK WS-Fed) → idsrv4

In other words, Auth0 acts as an IDP for the flow on the left and as a RP for the flow on the right.

I used these articles to configure Auth0:

Configuring Auth0 as the IDP

Configuring Auth0 as the RP.

Note that this article references ADFS but the same approach works for any WS-Fed IDP.

The idsrv4 metadata is at:

https://localhost:44309/wsfed

Remember to configure the applications that are allowed to access this connection.

Note that I have configured “company.com” as the “email domain”. This forces anyone logging in with a “company.com” email address to be redirected to that enterprise connection i.e. they will be redirected to idsrv4.

I’m using both the IDP and the RP in the sample RSK GitHub project.

The IDP settings are:

The RP settings are:

The IDP Startup.cs:

private static readonly Client RelyingParty = new Client
{
ClientId = “urn:auth0:Auth0_tenant_name”,
AllowedScopes = { “openid”, “profile” },
RedirectUris = { “https://Auth0_tenant_name/login/callback" },
ProtocolType = IdentityServerConstants.ProtocolTypes.WsFederation
};

The RP Startup.cs:

.AddWsFederation("wsfed", options =>
{
options.MetadataAddress = "https://Auth0_tenant_name/wsfed/FederationMetadata/2007-06/FederationMetadata.xml";
options.Wtrealm = "urn:rp1";
options.RequireHttpsMetadata = false;
options.SignInScheme = "cookie";
});

Notice that the “urn:rp1” matches the “Realm” in the config. above.

So let’s try it.

Running the RP and clicking “Login” brings up:

Notice that the moment I enter the “company.com” email address the password field disappears. This is because Auth0 knows that I am going to use another IDP to authenticate.

Clicking “LOG IN” takes me to idsrv4.

Enter “alice / alice” or “bob / bob”.

Success!

All good!

The new control plane

“Identity is the new control plane”. Articles around Microsoft Identity, Auth0 and identityserver. Click the “Archive” link at the bottom for more posts.

Rory Braybrook

Written by

NZ Microsoft Identity dude. Microsoft MVP. Azure AD/B2C/ADFS. Plus Auth0/identityserver. N. Shore .NET UG Admin. Presentations: http://bit.ly/334ZPt5

The new control plane

“Identity is the new control plane”. Articles around Microsoft Identity, Auth0 and identityserver. Click the “Archive” link at the bottom for more posts.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade