Using ADFS 2 with Live Id as a Claims provider
https://stackoverflow.com/questions/11012918
-
14-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Has anyone succeeded in configuring ADFS2 to use Live Id (or Google, Yahoo etc) as a Claims provider, and if so where did you get the configuration instructions (can you share them please) I have previously manged to do this with ACS in Azure to connect to Live Id and ADFS, but would like use ADFS as the "HUB"
Solution
This is possible with a custom STS you federate your ADFS with.
The idea is to build an STS which itself uses OAuth2 to authenticate users and then (optionally) performs its own Active directory queries to find a user with the same email address and reads roles from the AD. Then the custom Sts returns all the claims to your application.
As Marnix points out, a hybrid approach is possible where the credentials are provided on the adfs page rather than the identity provider page. This is rather difficult as it involves setting up the wstrustfeb2005 endpoint on your sts. I have a six part tutorial on how to do this: http://netpl.blogspot.com/2011/08/adfs-20-quest-for-customizing-adfs-sign.html
Nonetheless, the latter approach is much more difficult while exposing a passive sts federated with the adfs should not take you long time.
OTHER TIPS
AD FS 2.0 itself does not allow authentication against a custom authentication store: it can only authenticate Active Directory accounts. (See this answer of mine for the official documentation at this point.)
A solution is suggested in an answer to another StackOverflow question, although the wording is a bit misleading. If you read the actual blog post you see that they add an extra STS. AD FS 2.0 has a 'Claims Provider Trust' for that other STS, and redirects to it (if the 'home realm discovery' is set up correctly). That other STS then performs the authentication in whichever way it likes (e.g., using a Google or Live account), sends a token back to AD FS, which then runs its claim rules.
So in that solution it is not AD FS 2.0 authenticating against an alternative store, but redirecting to an STS which authenticates against that store.
