Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

Server.v3 and ADFS #618

Closed
gri4 opened this issue Dec 8, 2014 · 10 comments
Closed

Server.v3 and ADFS #618

gri4 opened this issue Dec 8, 2014 · 10 comments
Assignees
Labels

Comments

@gri4
Copy link

gri4 commented Dec 8, 2014

Hello,
Would you tell me if there are kind of guidelines/samples related to connection Server.v3 to ADFS?
I need to perform username/password authentication against ADFS. Something like http://brockallen.com/2013/04/14/getting-json-web-tokens-jwts-from-adfs-via-thinktecture-identityservers-adfs-integration/ (topic 3) and "Thinktecture.IdentityServer.v2/samples/AdfsIntegrationFullSample" would be very useful.
I have reviewed SelfHost (InMem with WS-Fed) sample, but there is no info how to configure Identity server in order to interact with ADFS instance.
Thank you.

@leastprivilege
Copy link
Member

We only support ADFS as an identity provider - via the browser login window. Is that what you want? Or are you looking for a programmatic way to authenticate the user?

If yes - we don't support that out of the box anymore - but can be implemented using a custom grant. The samples repo has a basic example of custom grant implementation.

@gri4
Copy link
Author

gri4 commented Dec 8, 2014

Yes, looking for a programmatic way to authenticate the user. Will review custom grant sample, thanks.

@gri4
Copy link
Author

gri4 commented Dec 8, 2014

So, according to the "CustomGrants (more customization)" sample i can extend CustomUserService.AuthenticateLocalAsync the way that it will authenticate against an adfs instance.
Authentication itself can be done as here: http://leastprivilege.com/2010/04/14/using-an-active-endpoint-to-sign-into-a-web-application/
Is it correct?

@brockallen
Copy link
Member

If you want the uid/pwd on the IdentityServer login page to be used against AD, then yes -- you would implement a custom user service. You'd then use whatever you want to contact AD (or ADFS) to validate the credentials.

@gri4 gri4 closed this as completed Dec 8, 2014
@carl-berg
Copy link

I have a similar scenario i would like to implement. I want to provide a OAuth2 Resource Owner Password flow without UI. We have ADFS 3 setup for website user login. Would you suggest using IdentityServer3 or would AuthorizationServer be a better choice in my case?

@brockallen
Copy link
Member

IdentityServer3 is recommended over AuthorizationServer

@carl-berg
Copy link

So i have heard. However i found it hard finding a way forward in using ADFS programatically to validate users, but i dug around a bit in the AuthorizationServer code and found WsTrustResourceOwnerCredentialValidation which i'm currently using in a custom UserService in IdentityServer and so far, i've been able to successfully Validate username and password and to get claims back.

@brockallen
Copy link
Member

You could use something similar within IdSvr. It sounds like your concern is how to contact ADFS -- that'll be the same either from IdSvr or AuthorizationServer.

@carl-berg
Copy link

There is something similar to WsTrustResourceOwnerCredentialValidation in IdentityServer3? I've been trying to find something like it but haven't had any success so far...

@brockallen
Copy link
Member

No, but you can copy that code over into your implementation.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

4 participants