This topic describes the configuration for the WebForm and MVC SP Provider example project. That project demonstrates SSO with Windows ADFS.
In this example we assign hostname of the ADFS Example to sp.com and the ADFS server to idp.com.
If you run the example locally, you may want to update Windows\System32\drivers\etc\hosts file on the IdP and SP machines to include entries for www.idp.com and www.sp.com. For example:
Configure and Service Provider example
The settings for the SP example are stored in its web.config file.
- SsoBinding specifies the binding to use when communicating to the ADFS IDP provider. The value can either be urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect or urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
- IdpHttpPostServiceUrl is the URL of the ADFS service when using the HTTP POST binding
- IdpHttpRedirectServiceUrl is the URL of the ADFS service when using the HTTP Redirect binding
Configure the ADFS server
Our SP Example acts as a relying party in the ADFS server. To add a replying trust for the SP to the ADFS service, use the ADFS management console.
In the following step, select “Enter data about the replying party manually”
then specify a display name of the party. e.g. “www.sp.com”
In the Choose Profile step, select AD FS Profile
If you want to have SAML assertion returned by ADFS encrypted, browse to SPKey.pfx to specify it as the token encryption certificate.
Now Enable support for SAML v2.0 WebSSO protocol and specify the service provider’s assertion consumer service URL. In our MVC example we use: www.sp.com/Service/
The specify the relying party trust identifier.
In Choose Issurance Authorization Rules, select “Permit all users access to this relying party”
The list of relying party trusts should now include our newly created SP.
The authentication request sending from the SP is signed. To specify the certificate to use
to validate the signature, open up the reply party trusts properties dialog and under the Signature
tab add the service provider certificate.
For this example, we use SHA-1 algorithm. To do so, click on the Advanced tab and choose SHA-1. Keep in mind that ComponentPro SAML supports both SHA-1 and SHA-2 algorithms.
Then edit the claim rules and add a rule.
Map the Active Directory user principal name to the outgoing Name ID.
Your ADFS server should now be ready to connect with the example SP.