WIF, ADFS 2 and WCF–Part 3: ADFS Setup
Posted
by Your DisplayName here!
on Least Privilege
See other posts from Least Privilege
or by Your DisplayName here!
Published on Tue, 12 Oct 2010 14:53:56 GMT
Indexed on
2010/12/06
17:00 UTC
Read the original article
Hit count: 505
IdentityModel
In part 1 of this series I briefly gave an overview of the ADFS / WS-Trust infrastructure. In part 2 we created a basic WCF service that uses ADFS for authentication. This part will walk you through the steps to register the service in ADFS 2.
I could provide screenshots for all the wizard pages here – but since this is really easy – I just go through the necessary steps in textual form.
Step 1 – Select Data Source
Here you can decide if you want to import a federation metadata file that
describes the service you want to register. In that case all necessary information
is inside the metadata document and you are done. FedUtil (a tool that ships with
WIF) can generate such metadata for the most simple cases. Another tool to create
metadata can be found here.
We choose ‘Manual’ here.
Step 2 – Specify Display Name
I guess that’s self explaining.
Step 3 – Choose Profile
Choose ‘ADFS 2 Profile’ here.
Step 4 – Configure Certificate
Remember that we specified a certificate (or rather a private key) to be used to decrypting
incoming tokens in the previous post. Here you specify the corresponding public key
that ADFS 2 should use for encrypting the token.
Step 5 – Configure URL
This page is used to configure WS-Federation and SAML 2.0p support. Since we are using
WS-Trust you can leave both boxes unchecked.
Step 6 – Configure Identifier
Here you specify the identifier (aka the realm, aka the appliesTo) that will be used
to request tokens for the service. This value will be used in the token request and
is used by ADFS 2 to make a connection to the relying party configuration and claim
rules.
Step 7 – Configure Issuance Authorization Rules
Here you can configure who is allowed to request token for the service. I won’t go
into details here how these rules exactly work – that’s for a separate blog post.
For now simply use the “Permit all users” option.
OK – that’s it. The service is now registered at ADFS 2. In the next part we will finally look at the service client.
Stay tuned…
© Least Privilege or respective owner