Connecting the Rock Solid Knowledge WS-Federation stack on identityserver4 to Auth0

Rory Braybrook
Dec 10, 2018 · 3 min read

Have a read of the I did with ADFS 4.0. There’s lots of background there.

For this post, Auth0 needs to be the RP i.e. idsrv4 needs to be CP.

The flow is then:

WS-Fed RP Client → Auth0 → (via RSK WS-Fed) → idsrv4

In other words, Auth0 acts as an IDP for the flow on the left and as a RP for the flow on the right.

I used these articles to configure Auth0:

Configuring Auth0 as the

Configuring Auth0 as the .

Note that this article references ADFS but the same approach works for any WS-Fed IDP.

The idsrv4 metadata is at:

Remember to configure the applications that are allowed to access this connection.

Note that I have configured “company.com” as the “email domain”. This forces anyone logging in with a “company.com” email address to be redirected to that enterprise connection i.e. they will be redirected to idsrv4.

I’m using both the IDP and the RP in the sample RSK GitHub project.

The IDP settings are:

The RP settings are:

The IDP Startup.cs:

private static readonly Client RelyingParty = new Client
{
ClientId = “urn:auth0:Auth0_tenant_name”,
AllowedScopes = { “openid”, “profile” },
RedirectUris = { “https://Auth0_tenant_name/login/callback" },
ProtocolType = IdentityServerConstants.ProtocolTypes.WsFederation
};

The RP Startup.cs:

.AddWsFederation("wsfed", options =>
{
options.MetadataAddress = "https://Auth0_tenant_name/wsfed/FederationMetadata/2007-06/FederationMetadata.xml";
options.Wtrealm = "urn:rp1";
options.RequireHttpsMetadata = false;
options.SignInScheme = "cookie";
});

Notice that the “urn:rp1” matches the “Realm” in the config. above.

So let’s try it.

Running the RP and clicking “Login” brings up:

Notice that the moment I enter the “company.com” email address the password field disappears. This is because Auth0 knows that I am going to use another IDP to authenticate.

Clicking “LOG IN” takes me to idsrv4.

Enter “alice / alice” or “bob / bob”.

Success!

All good!

The new control plane

“Identity is the new control plane”. Articles around Microsoft Identity, Auth0 and identityserver. Click the “Archive” link at the bottom for more posts.

Rory Braybrook

Written by

NZ Microsoft Identity dude. Azure AD/ADFS. Plus Auth0. North Shore .NET User Group Admin. Ignite - http://bit.ly/2D05Uh7 YouTube - http://bit.ly/2lzBqXQ

The new control plane

“Identity is the new control plane”. Articles around Microsoft Identity, Auth0 and identityserver. Click the “Archive” link at the bottom for more posts.