So while implementing Claims based authentication for Citrix XenApp the next natural step for me would be to update my Custom STS to issue the tokens directly instead of making the user “jump” between several websites, while logging on. When you configure the ADFS Token Based client you need tell the Web Server what ADFS Server to use, by pointing to a URL like https://admin.wingu.dk/adfs/fs/federationserverservice.asmx
I am sure its doable to create a Web Service that can send what ever reply’s it expect, I’m also 99% sure all that can be done purely with ADFS 2.0 and the Token2Identity Service, but for now I don’t mind leaving the ADFS 1.1 server and just issue a token to that, and let it parse on it’s own token to the Citrix Web Interface. So I add my STS as an account partner and try logging in. After sorting out some URL’s and certificates, I got the first real error.
[ERROR] SamlViolatesSaml: No NameIdentifier
Hmm, I was 100% sure I’m was sending Name ID, but I start Fiddler2 and look at the token’s doing a login though my ADFS 2.0 server and compare with the token while logging on with my STS, and notice mine looks different. and it didn’t seem to have Name ID, so I added on, based on UPN (since I know that works with ADFS 2.0) in my code, and try again (with the code below but without setting Format). This time I get
SamlViolatesInterop: No NameIdentifier/@Format
Weird, Google wasn’t much help, but after playing around a bit I end up with this piece of code that works
Dim NameID As New Claim(ClaimTypes.NameIdentifier, UPN)
NameID.Properties(ClaimProperties.SamlNameIdentifierFormat) = "http://schemas.xmlsoap.org/claims/UPN"
Crypto algorithm 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' not supported in this context
I always wondered how to change that, but never had the need, now I do. Google and I came up with this
scope.SigningCredentials = New X509SigningCredentials(_configuration.SigningCertificate, "http://www.w3.org/2000/09/xmldsig#rsa-sha1", "http://www.w3.org/2000/09/xmldsig#sha1")
Protected Overrides Function GetTokenLifetime(requestLifetime As Microsoft.IdentityModel.Protocols.WSTrust.Lifetime) As Microsoft.IdentityModel.Protocols.WSTrust.Lifetime
Return New Lifetime(Date.UtcNow, Date.UtcNow.AddHours(10))
Next project. Testing if I can completely rule out ADFS 1.x and run purely with WIF components.