I've been looking around, trying to find an example of how to add ADFS authentication to an existing ASP.Net MVC application. I found lots of example of how to do it using the wizard when you create a new app.
I could create a new app and copy the code and config over, but this seams like a strange approach.
Does anyone know of a good guide or resource?
We found this blog entry on Cloud Identity to be really helpful to get started with something similar. We are using Web API so it's not exactly the same.
You will need to add this to your Startup.Auth.cs file:
app.UseActiveDirectoryFederationServicesBearerAuthentication(
new ActiveDirectoryFederationServicesBearerAuthenticationOptions
{
Audience = ConfigurationManager.AppSettings["ida:Audience"],
MetadataEndpoint = ConfigurationManager.AppSettings["ida:MetadataEndpoint"]
});
In your web.config you will need keys to point to those entries:
<add key="ida:AdfsMetadataEndpoint" value="https://adfs.yourdomain.com/federationmetadata/2007-06/federationmetadata.xml" />
<add key="ida:Audience" value="https://yourmvc.yourdomain.com" />
Note that what version of ADFS you are using makes a big difference. We found that while trying to get tokens to work with version 3.0 of ADFS they are somewhat broken at the moment. On premises ADFS will also work much differently than Azure.
We needed to customize the claims for our implementation and this post helped immensely. Startup.Auth.cs will look similar to this:
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Audience = ConfigurationManager.AppSettings["ida:Audience"],
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
Provider = new OAuthBearerAuthenticationProvider()
{
OnValidateIdentity = async context =>
{
context.Ticket.Identity.AddClaim(
new Claim(http://mycustomclaims/hairlenght,
RetrieveHairLenght(userID),
ClaimValueTypes.Double,
"LOCAL AUTHORITY");));
}
}
});
