mandag den 11. juni 2012

ADFS 1.X and Custom STS

So while implementing Claims based authentication for Citrix XenApp the next natural step for me would be to update my Custom STS to issue the tokens directly instead of making the user “jump” between several websites, while logging on. When you configure the ADFS Token Based client you need tell the Web Server what ADFS Server to use, by pointing to a URL like https://admin.wingu.dk/adfs/fs/federationserverservice.asmx 

I am sure its doable to create a Web Service that can send what ever reply’s it expect, I’m also 99% sure all that can be done purely with ADFS 2.0 and the Token2Identity Service, but for now I don’t mind leaving the ADFS 1.1 server and just issue a token to that, and let it parse on it’s own token to the Citrix Web Interface. So I add my STS as an account partner and try logging in. After sorting out some URL’s and certificates, I got the first real error.

[ERROR] SamlViolatesSaml: No NameIdentifier

Hmm, I was 100% sure I’m was sending Name ID, but I start Fiddler2 and look at the token’s doing a login though my ADFS 2.0 server and compare with the token while logging on with my STS, and notice mine looks different. and it didn’t seem to have Name ID, so I added on, based on UPN (since I know that works with ADFS 2.0) in my code, and try again (with the code below but without setting Format). This time I get

SamlViolatesInterop: No NameIdentifier/@Format

Weird, Google wasn’t much help, but after playing around a bit I end up with this piece of code that works

Dim NameID As New Claim(ClaimTypes.NameIdentifier, UPN)
NameID.Properties(ClaimProperties.SamlNameIdentifierFormat)
= "http://schemas.xmlsoap.org/claims/UPN"
identity.Claims.Add(NameID)
but now I get this error


Crypto algorithm 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' not supported in this context


I always wondered how to change that, but never had the need, now I do. Google and I came up with this



scope.SigningCredentials = New X509SigningCredentials(_configuration.SigningCertificate, "http://www.w3.org/2000/09/xmldsig#rsa-sha1", "http://www.w3.org/2000/09/xmldsig#sha1")
Several people have been complaining their tokens was running out to fast, and I had not really had time to look into it, but since I was already updating the STS I might as well add that too. Turns out that was almost to easy. In you SecurityTokenService class, where you override GetScope and GetOutputClaimsIdentity, just override GetTokenLifetime too … here is how I did it while testing


Protected Overrides Function GetTokenLifetime(requestLifetime As Microsoft.IdentityModel.Protocols.WSTrust.Lifetime) As Microsoft.IdentityModel.Protocols.WSTrust.Lifetime
Return New Lifetime(Date.UtcNow, Date.UtcNow.AddHours(10))
End Function

Next project. Testing if I can completely rule out ADFS 1.x and run purely with WIF components.

Ingen kommentarer:

Tilføj en kommentar