Erik, If I understand you correctly, your ADFS infrastructure is internal-only with no Web Application Proxy (WAP)? If so, ADFS 2012 R2 should fallback to forms-based authentication for Android based on the UserAgent string, which means you shouldn’t need it to be domain joined. Then when you’re writing your application for Android to use OAuth, build the Android client application using the ADAL library for Android, which should pop-up a browser control that can accept their username/password: Let me know if you have any further questions. Thanks, Dave. Mike W, Sorry that my terminology is distracting. I wouldn’t necessarily consider it 'internal' terminology because I’m customer-facing 99% of the time and very careful about the wording that I choose. I thought the term 'stand-up' was a well-known IT term that just means to install and build-out the required infrastructure.
SAS Agent for AD FS, a multi-factor authentication plugin, comes in. Secondary authentication occurs immediately after primary authentication and authenticates the same AD user. Once primary authentication is complete and successful, AD FS invokes what we call the external authentication handler. Hi Daniel, From your post I did some research and it looks as if the configuration described is not supported. In the documentation linked below on page 76 there is a note that sates 'Custom Authentication does not support Active Directory Federation Services (ADFS).'
I started using the term 'onboarding' because the word 'install' doesn’t really apply because we’re not installing in the traditional sense. It means to 'install and configure' federated applications on your ADFS infrastructure. I started using the term onboarding because getting federated applications configured on ADFS is typically a process and it all starts with having the right dialogue between the ADFS owners and the application owners. It resonated with my customers enough that I started building an onboarding document that I’ll share with you guys in the next blog. Thanks for reading. Taparshi Your comment is exactly the line I try to tiptoe – simple yet detailed.
With federation it’s very easy to go off the deep end so I’m working really hard to 'unfold' federation in a way that really makes sense. I’m trying to provide a solid foundation now so when we start zipping through various scenarios later on, everything just clicks. I think I actually spend more time thinking about how to explain this stuff than actually writing it. I’ll work to get another blog out in the next 3-4 weeks. I’ll try to make it sooner but all this federation knowledge keeps me very busy.
Vince, Funny you say that because while this blog may seem pretty technical, the whole point of this particular post was to get everyone level-set on using the right terminology and put the various federation technologies in the right perspective or as I call them 'mental buckets'. This is why I put a disclaimer at the top for the readers to not be overly concerned with fully understanding all the URL parameters, etc. Once everyone is level-set and we’re all speaking the same language, that’s when efficient communication and learning really take place. Please stay tuned as I have another blog coming out soon. We have been struggling for some time with the implementation of Oauth. (env: Internal ADFS, server 2012 R2). After finaly reciving information from MS support it turned out thar oauth are not supported if not domain joined is used.
(android not supported btw) That leaves us with an option that might work (Azure ad). Question however remains on how to handle the roledatabase lookup that we use today. (ADFS gets info from SQLDB (claims)) Any ideas on how to solve this, Br erikwestergren(AT)msn.com.
Hi Dave, I’ve been scanning this blog post and the previous for some insight into how to have ADFS delegate elegantly the discovery page to a SAML2 discovery service in which an end user would choose the IdP from there, pass back through the ADFS service and onto the the service with the appropriate claim. What I’m trying to avoid is duplication of the discovery visual elements in ADFS. I realize that ADFS must have the entities loaded and properly configured in order to work.
I’m wondering aloud if that would be where RelayState would come in and assist? My use case is sharepoint with external authentication delegated to ADFS which in turns takes SAML2 assertions and translates them to Claims. I have a Shibboleth Discovery service already in place and find that I am driven to duplicate it inside ADFS rather than externalize the ‘select your IdP’ to it instead of ADFS.
Thoughts or guidance on how to facilitate this? Thanks in advance. Is there any way to do this in a non-interactive fashion?
I’m trying to authenticate using a Java / Spring Security OAuth client, so I can access some oData endpoints. As such, I don’t have (and don’t want to have!) a form login anywhere. What I’m not clear on is, how can I: send a request to /adfs/oauth2/authorize get the authorization code send a request to /adfs/oauth2/token (passing along authorization code) get access token send a request to oData endpoint (passing along access token).without. having a login form in the middle? Is there any way to send along my username/password credentials, and perform the login ‘programatically’?
I realize you’re not supposed to have to send credentials, that that’s kind of the point of oAuth. But I don’t see any other way. Is this possible? How can I manually generate the WS-Fed sign-in protocol URI? My site itself as a whole doesn’t use WS-Federation, however I have a need to link a user to the ADFS Sign in page, so that once they sign in, it redirects the user back to a specific page within my site. I tried a simple test using the WS-Fed sign-in protocol URI you mention, but ADFS gives me an 'Error occurred' message.
Looking at the log it says: 'There are no registered protocol handlers on path /adfs/ls/ to process the incoming request. At Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)' any help is appreciated. Paul, What you describe sounds like IDP-initiated sign-on where the user will start by going to ADFS first, and once authenticated, will be redirected to the application, SAML token in tow? So WS-Federation doesn’t really support IDP-Initiated Sign-on but the bigger issue I see here is that ADFS, with WS-Fed, won’t just send the user back to an arbitrary URL within your application. When you configure the WS-Fed relying party within ADFS, you have to specify at that time, the URL that ADFS will sent the user back to with token in tow.
Having the user navigate to the application first solves this problem because the application will typically maintain some session state about the URL the user originally requested and when they come back from ADFS, the application verifies their token, and then send them back to the URL they requested originally. Please tell me more about your application so I can understand it better, especially the part about it not using WS-Fed but you still want to craft WS-Fed smart links for your users. Thanks, Dave. Paul, One more thing.
I played around with the WS-Fed URL parameters and ADFS will honor a WREPLY parameter, which indicates the URL you want your user sent back to after they authenticate. For security reasons, the URL you include in this WREPLY parameter must be a derivative of the WS-Fed endpoint you have on the ADFS relying party trust, which prevents users from submitting their SAML tokens over to rogue sites. For example, the WS-Fed endpoint on my ADFS relying party trust is: I appended the WREPLY parameter onto the end of the WS-Fed sign-in request like so and ADFS honored it: As I mentioned earlier, my wreply parameter both contain.
If I had passed ADFS a WREPLY URL that didn’t contain, ADFS won’t honor it for security reasons. Dave,. I was about to write all the below, but just used your example URL with the wreply. Turns out I had a typo in the URL I was trying that was generating the ADFS error I saw. I got it to work now, as it returns back to my specific URL thanks to your wreply example.
Also it appears I don’t actually have to put in a time value for wct parameter and can just leave it as '&wct=&wreply' If you have the time, I’d love it if you could read my background info below anyway and comment on my 'note' paragraph at the bottom, thanks!. Here’s more info that should help you to understand why I’m wanting to craft my own WS Fed URL request: 1. Our application serves 2 audiences, one of which has AD FS (Active Directory) credentials. The other audience has accounts stored in a SQL database. For this reason, we cannot just force any applications requests to all go to the ADFS Sign on page to get access.
However, there’s a sub section of our application, that our ADFS credential users get access to 3rd party applications (via URLs) that are setup as ADFS relying party trusts. To access these specific 3rd party applications, these users will have to be directed to the ADFS Sign in page to be sure they’re authenticated through it before accessing the applications. We’d like to have a link, let’s call it 'Other Applications' that users can click on that will use this manually crafted WS-Fed URL I’m referring to, to take them to ADFS to authenticate them.
Once they sign in through ADFS Sign in page, we want them redirected back to our application to a specific page that then lists the URLs for these 3rd party applications (thus when they now click on any, they will go directly into them since they are already authenticated with AD FS). We brainstormed of other ways we could take for our application but decided on this route as it provides the most clear user experience and minimum negative impact on our users. I can give you more specifics of our situation (once you know where I work and who specifically our audiences are, you’ll understand even more), but prefer private communication to do so.
Not really wanting to have it out publicly. Just let me know your email and I can talk further. We are a Microsoft platform place by the way. Note: what I really wanted to do was to be able to authenticate our application users to ADFS (in the background via an ADFS endpoint using a token) without forcing them to be redirected to the ADFS sign in page, yet be able to SSO to our other relying party trusts sites (multiple domains) without them having to sign in through the AD FS sign in page. It’s my understanding that this cannot be done, as when I authenticate to ADFS through the endpoint, ADFS cannot create the cookie on the ADFS server to authenticate the other RPT sites.
I had a discussion going on at about this with the author who was very helpful, though informed us this is not possible. Dave, I tried posting twice here with some background information, and while it said it posted, nothing ever showed up Maybe too long? Anyway, I’d prefer to continue conversation through email, if possible. What is your email, if you don’t mind me asking? (Also, I did get our wreply example to work.
I realized I also had a typo in my original URL i was using, hence why it was not working. I’d still like to ask you something else after providing you more info through email. Just let me know. Hi Dave, I am trying to post a ws-federation token to a azure service. However Its giving me the following error. I am generating the token in plain java code and not using any library HTTP Error Code: 400 Message: ACS20001: An error occurred while processing a WS-Federation sign-in response.
Trace ID: bb574885-f048-4221-8226-09a2ddd65d44 Timestamp: 2015-11-13 19:57:21Z I am setting wa=wsignin1.0 and wresult as the token. I was able to get a token from existing configured service. It was also sending wctx as a parameter. When I tried to send the token with wctx param, I got the following error HTTP Error Code: 403 Message: ACS20001: An error occurred while processing a WS-Federation sign-in response. Inner Message: ACS50008: SAML token is invalid. Inner Message: ACS50006: Invalid signature.
Signature verification failed. Trace ID: 6726c9c5-6d37-421e-8cbf-1e39be479a6e Timestamp: 2015-11-13 20:02:42Z Same token without wctx I am getting the error identical to first one: HTTP Error Code: 400 Message: ACS20001: An error occurred while processing a WS-Federation sign-in response. Trace ID: e2c7ffce-89ff-4028-a1f8-2c2ea7d37ba1 Timestamp: 2015-11-13 20:03:32Z Any ideas on how to solve this. Thanks, Gourav.
I have a php script that need to authenticate with a resource server(SP), and the SP is protected by an adfs server using WS-Feed sign in protocol, I know that from the query parameters when SP redirect me to ADFS server. The problem is there’s a way to authenticate without user interaction (form-based authentication), because I always see this protocol consist from 3 entities (SP:any app you want to access, idP: ADFS server, and user) If that possible could you point me on the right direction to achieve this using a library.