Using WIF against different ADFS services

StackOverflow https://stackoverflow.com/questions/19425772

  •  01-07-2022
  •  | 
  •  

Question

I have tried to search for this, but haven't found any good answer for it, so I'll put out a question here!

I have a web site that several different customers want to access using their ADFS own service. My plans was then to have the connection to the different ADFS services in a centralized storage (not config files) and retrieve the correct one based on some parameters the customer provides to the web site and use it with code.

However, I cannot find any way to let one web site use several federation services. Is this method possible at all using WIF and ADFS? If so do you have any links or examples on how to do it?

Was it helpful?

Solution

This is possible, what you need is to create different requests depending on different user choices.

My practice is to have a bunch of buttons/links somewhere in the application (at the login page perhaps). Each button is dedicated to one external STS (ADFS in your case). Clicking the button creates the wsignin1.0 request to the server and when the ADFS returns to the login page, there should be a block of code to try to consume the response (SAML token) and create identity for current session.

This was easier in the past as WIF supported the wif:FederatedPassiveSignIn web control. All you needded was a buch of these at your page, each single control poiting to its ADFS:

 <wif:FederatedPassiveSignIn id="adfs1" runat="server" Issuer="https://adfs1.adfs/adfs/ls" Realm="https://yourapp/loginpage.aspx" ImageUrl="adfs1.png/>
 <wif:FederatedPassiveSignIn id="adfs2" runat="server" Issuer="https://adfs2.adfs/adfs/ls" Realm="https://yourapp/loginpage.aspx" ImageUrl="adfs2.png" />

However, for some unknown reason the control has been removed from the .NET 4.5 version of WIF, thus making this much more difficult. Few months ago I've recreated this for .NET 4.5, the code is freely available:

http://code.google.com/p/net45federatedpassivesignin/

If you don't want to use this (for example because you are on MVC and/or you don't like web controls), you can still dig into the code to see how the ID of specific control is passed to the selected ADFS so that when the response comes from the ADFS, only the source control (the one that sent the request) consumes it (this involves using the wctx optional parameter of a wsignin1.0 request).

Edit: another option you might consider is to have a single ADFS playing the role of a relying STS. In such environment, your application talks to a single adfs and this adfs is federated with a bunch of other adfses. This is even easier to set up as it only requires proper configuration. A user trying to authenticate is redirected to the relying adfs and the adfs shows the HomeRealmDiscovery page where the user selects the target adfs from a list and proceedes to authenticate there.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top