Matthias Jouin Matthias Jouin - 13 days ago 5
C# Question

How to add multiple endpoints to adfs

I have a lot of web applications on the same web server (II7):
let's say mydomain/app1, mydomain/app2, ... and so on.
I'm trying to add an ADFS authentication through OWIN.
Here's what I've done:

[assembly: OwinStartup(typeof(MyNamespace.Startup))]
namespace MyNamespace
{
public class Startup
{
private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
private static string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];

public void Configuration(IAppBuilder app)
{
ConfigureAuth(app);

app.Use((context, next) =>
{
SignIn(context);
return next.Invoke();
});
app.UseStageMarker(PipelineStage.Authenticate);
}

public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

app.UseCookieAuthentication(new CookieAuthenticationOptions());

app.UseWsFederationAuthentication(
new WsFederationAuthenticationOptions
{
Wtrealm = realm,
MetadataAddress = adfsMetadata
});
}

public void SignIn(IOwinContext context)
{
if (context.Authentication.User == null)
{
context.Authentication.Challenge(
WsFederationAuthenticationDefaults.AuthenticationType);
}
}
}
}


When a user access mydomain/app1, I want him to be authenticated through ADFS and then redirected to mydomain/app1. And same thing for a user accessing mydomain/app2.

But I wish to add only one relying party trust in ADFS (because there's a lot of applications and all are using same claim rules).

I've tried different configurations, but I can't do what I want:


  • if the RP endpoint is mydomain/app1/, authentication is ok but all requests (even from mydomain/app2 are redirected to app1), obviously

  • if the RP endpoint is only mydomain/, I get a 405.0 http error - Method Not Allowed after redirection (I take care of the trailing slash).



For information, I saw this question on stackoverflow:
URL redirection from ADFS server

But it doesn't really answer my problem because I don't understand sentence "(...) WIF will process the response at URL_1, and then take care of redirecting the user to URL_2" in Andrew Lavers's comment.

How can I add multiple endpoints to one RP trust ?
Or how can I redirect users to the original URL ? (considering all applications are on the same domain).

Thanks in advance for any help.

Answer

You should be able to set the wreply parameter based on the application that triggers the authentication flow. Something like this:

app.UseWsFederationAuthentication(
    new WsFederationAuthenticationOptions
    {
        Wtrealm = realm,
        MetadataAddress = adfsMetadata,
        Notifications = new WsFederationAuthenticationNotifications
        {
            RedirectToIdentityProvider = context =>
            {
                context.ProtocolMessage.Wreply = <construct reply URL from context.Request>;
                return Task.FromResult(0);
            }
        }
    });
Comments