4

I am working on the authentication with Active Directory using ADFS.

While searching, I got few articles to accomplish this requirement, but they are suggesting to redirect the Login page of application to Login page of ADFS and then come back.

Redirecting to ADFS Login page is not suggested as per user experience.

Can anyone help me to find out the solution to authenticate with active directory using ADFS behind the scene ? So, everything will be handled by application code, not by ADFS login page.

Please advise.

Please let me know if you have any concern or query or if you need more information.

Improve this question

1 Answer 1

Reset to default
2

The reason those articles suggest you redirect (using WS-Federation protocol) to the ADFS login page is because it allows you to set up federation to other identity providers (allow an external company' employees to use their own credentials to log in to your application).

What you want can be done using the WS-Trust protocol, but you'll give up (or have to implement yourself) the possibility to federate.

ADFS exposes endpoints like /adfs/services/trust/13/usernamemixed that you can talk to to get a security token. Something like below should get you going.

public class UserNameWSTrustBinding : WS2007HttpBinding
{
    public UserNameWSTrustBinding()
    {
        Security.Mode = SecurityMode.TransportWithMessageCredential;
        Security.Message.EstablishSecurityContext = false;
        Security.Message.ClientCredentialType = MessageCredentialType.UserName;
    }
}

private static SecurityToken GetSamlToken(string username, string password)
{
    var factory = new WSTrustChannelFactory(new UserNameWSTrustBinding(), "https://yourdomain.com/adfs/services/trust/13/UsernameMixed")
        {
            TrustVersion = TrustVersion.WSTrust13
        };

    factory.Credentials.UserName.UserName = username;
    factory.Credentials.UserName.Password = password;

    var rst = new RequestSecurityToken
    {
        RequestType = RequestTypes.Issue,
        AppliesTo = new EndpointReference("https://yourdomain.com/yourservice"),
        KeyType = KeyTypes.Bearer
    };

    var channel = factory.CreateChannel();

    return channel.Issue(rst);
}
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Moving forward, we are recommending people use OAuth/OIDC support with ADFS 2016 and beyond. A key reason for this is that even if it is a rich app, we prefer credential collection to always happen at the ADFS layer. OAuth/OIDC provides ways to then use this token in a non-interactive way after the initial authentication.
@SamuelDMSFT sure, but ADFS 2016 is not GA yet, so it doesn't really offer the OP a solution he can deploy in production.
Hi MvdD, Thanks for your advise on this. I tried with this solution on local by using self signed SSL certificate. I add that certificate in certificate authority in MMc. Still I am getting "Could not establish trust relationship for the SSL/TLS secure channel with authority 'eln.local'." error message. I referred different articles, all of them are suggesting to export certificate from ADFS server and install that on Local. Am I missing something ? Please advise
Make sure your self-signed certificate is imported in the 'Trusted Root Certificate Authorities' store of your local computer account on the client machine.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.