Exercise 3: Accepting Tokens from an Active Directory Federation Services (ADFS) STS
In this exercise you will modify the application from the previous exercise for accepting tokens from an existing Active Directory Federation Services (ADFS) STS. You can expect this to be by far the most common scenario in which you will take advantage of an STS: the Windows Identity Foundation makes this task very easy, thanks to its integration with Visual Studio and the use of federation metadata.
Note that in a real world scenario this task would require two steps:
- Configuring the RP application for accepting tokens from the STS
- Configuring the STS for issuing token for the RP application being developed
The current exercise focuses on the first step: the second step is unnecessary in our case. In order to make the lab more agile, we will take advantage of an instance of Active Directory Federation Services (ADFS) that is available through the Internet. Such an instance has been pre-provisioned with the data of the RP being used in this lab, hence it will start issuing tokens for us as soon as we will request them. For this reason, it is of key importance that the application URI and the certificates will follow exactly what is specified in the lab instructions.
.png)
Figure 33Redirect & Claims flow in the case in which the identity provider is Windows Identity Foundation Server
Task 1 -Referencing an STS Published by an Instance of Active Directory Federation Services ( ADFS)
- Open Microsoft Visual Studio 2010 with administrator privileges. From Start | All Programs | Microsoft Visual Studio 2010, right-click on Microsoft Visual Studio 2010 and select Run as administrator.
- Open the ClaimsEnableWebSite.sln solution file located in the %YourInstallationFolder%\Labs\WebSitesAndIdentity\Source\Ex3-FederatingADFSv2\Begin folder.
The starting solution is based on the
Exercise 1 solution. It contains a simple relying party and a local STS which will be modified to use an online STS.
- On the Solution Explorer, right-click the https://localhost/ClaimsEnableWebSite project and select Add STS reference.
- When the Federation Utility window shows up perform the following tasks for each step in the wizard.
- On the Welcome page click Next to continue using the pre-populated fields.
.png)
- On the STS options page, select the third option button ("Use an existing STS"), set the STS metadata location to https://ip-sts-01.federatedidentity.net/federationmetadata/2007-06/federationmetadata.xml and click Next.
.png)
Figure 35Selecting a STS option
- Select Disable Certificate chain validation and click Next.
.png)
Figure 36Disabling certificate chain validation
- Select the Enable encryption option and then select the Select an existing certificate from store option.
.png)
Figure 37Using encryption with localhost certificate
- Click Select Certificate and select the certificate for localhost.
.png)
Figure 38Selecting the certificate
- Click Next.
- In the Offered Claims page, click Next.
.png)
Figure 39Offered claims window
- On the Summary page, review the changes and click Finish.
.png)
Now that our application receives claims from a production STS, the development STS (https://localhost/ClaimsEnableWebSiteEx03_STS project) is no longer necessary and can be removed from the solution.
Exercise 3: Verification
In order to verify that you have correctly performed all steps in the exercise three, proceed as follows:
- Run the solution (https://localhost/ClaimsEnableWebSite project)
- Sign in with the following user:
- Username: frankm
- Password: p@ssw0rd
.png)
Figure 41Sign in Form Windows Identity Federation Online Server
- If you have JavaScript disabled in your Web browser you will get a message as shown in Figure 1, click Submit to continue to the relying party.
.png)
Figure 42Script is disabled message
- You should be able to see the welcome message and days to birthday from previous exercise.
.png)
Figure 43Welcome message in default page
