Integrating a .net application with Access Manager using WS-Federation

Integrating a .net application with Access Manager using WS-Federation

This post will show how to configure a generic .net application to use the WS-Federation protocol to authenticate to the NetIQ Access Manager Identity Server. The steps that need to be performed are:

  1. Download and install Windows Identity Foundation SDK

  2. Prepare the Identity Server metadata

  3. Modify the application configuration using the Windows Identity Foundation Federation Utility

  4. Apply required manual modifications to the application configuration

  5. Configure the application as a WS-FED Service Provider on the Identity Server

  6. (Optional) Add validation of the authorization claim to the application


Prerequisites



  1. You must know the URL where the application will be deployed. In this tutorial will use "http://localhost:2112". Note: This can be changed later but the Federation Utility automates all the configuration needed if you supply it with the correct URL.

  2. Visual Studio2013 will be needed to modify the application. NOTE: older versions may be used but the community edition is a free download from Microsoft and is the version used in this tutorial. It is available at http://www.visualstudio.com/products/visual-studio-community-vs

  3. You must have access to the application project


Task 1. Installing the WIF SDK



  1. Go to http://go.microsoft.com/fwlink/?linkid=179833 and download WindowsIdentityFoundation-SDK-4.0.msi

  2. Install the SDK on the workstation where you have the application source and Visual Studio2013.


Task 2. Preparing the Identity Server Metadata


The Windows Identity Foundation Federation Utility uses the Identity Server metadata to configure the application for WS-FED authentication. The utility expects the metadata in a very specific format. Currently, the NetIQ Access Manager WS-FED provider metadata does not provide the required format. An enhancement request has been made but until it has been implemented you will need to manually modify the metadata so that it will be accepted by the utility. NOTE: an example metadata document is available here: ModifiedMetadataExample

To make the modifications you will start with the current WS-FED and SAML2 metadata documents from the identity Server. The production metadata documents can be obtained from:

  • https://<your domain>/nidp/saml2/metadata

  • https://<your domain>/nidp/wsfed/metadata


Save these two files to disk then open the SAML2 document in an editor that can deal with UNIX/Linux line endings.

The first thing we will need to change is the namespace declaration of the root EntityDescriptor element.

  • Search for and remove all instances of "md:" in the document

  • In the EntityDescriptor tag, modify the namespace declaration by deleting the characters ":md". The namespace attribute should be as shown below:


image002

Since we are modifying the metadata we must now remove the existing digital signature.

  • Delete the "ds:SignedInfo" element and all the elements inside it

  • Delete the "SignatureValue" element and all the elements inside it


The next step is to add a "RoleDescriptor" element that contains the WS-FED metadata. NOTE: The federation utility cannot parse this element properly if it contains line breaks. In the appendix is an example RoleDescriptor element that can be used as a template.

  • Paste the template element below the opening tag of the EntityDescriptor element as shown:


image003

  • Change the ServiceDisplayName attribute to "<the domain name of your IDP>" as shown

  • Change the domain name in the endPointReference elements to "<the domain name of your IDP>" as shown


image008

  • Open the WS-FED metadata and copy the certificate data from within the "ds:x509certificate" element to the clipboard NOTE: Do not copy the tags.

  • Select the certificate data in the example RoleDescriptor element and then paste the copied certificate data in its place.

  • (Optional) Within the "fed:ClaimTypesOffered" element, edit the claims provided by the Identity Server to match the attributes that are to be sent during authentication. NOTE: you can add attributes without modifying this element. Making this change just allows the Federation Utility to pre-populate the claim references in the application configuration.

  • Save the modified metadata file for use in the next task.


Task 3. Modifying the Application Configuration Using the Windows Identity Foundation Federation Utility



  1. Make a backup copy of the applications Visual Studio project

  2. Browse to C:\Program Files(x86)\Windows Identity Foundation SDK/v4.0 and execute FedUtil.exe

  3. Click the "Browse" button to the right of the "Application configuration location" field and then select the Web.config file inside your application project directory. See below:


image009

  1. In the Application URI field enter the URI that will be used to access the application. See above:

  2. Click "Next". In the example a warning is displayed because the URL is hot using HTTPS. Click "Yes" to continue.


image011

  1. Click the radio button corresponding to "use an existing STS"

  2. Click "Browse" and select the Identity Server metadata file modified earlier


image013

  1. Click on the "Test location" button. If the metadata is well formed it will be displayed in your default web browser. If this step fails, resolve metadata format issues and try again.


image015

  1. Click on the "Next" button. If the utility can successfully parse the metadata you will see the warning shown below, "The WS-Federation metatdata document is unsigned". If you get any other result, resolve metadata format issues and try again.


image017

  1. Click on the "Yes" button to continue using the unsigned metadata.

  2. On the "Security token encryption" page select "No Encryption". No sensitive data is being passed so encryption is not required. If you choose to use encryption you will need to generate or select a certificate. That certificate will be needed later when configuring the Identity Server Service Provider for this application. See Below:


image019

  1. The utility will display the claims offered by the identity Server. Click "Next".


image021

  1. The utility will display the summary page. Click "Finish".


image023

  1. The utility will display the Success dialog. Click "OK" to close the utility. NOTE: Do not select the check box to schedule a task to periodically update the metadata.


image025

Task 4. Apply Manual Modifications to the Application Configuration.



  1. Open the application project in Visual Studio and select the Web.config file for editing.

  2. The "httpModules" element is used for IIS version 6. You will need to comment out the entries that the Federation Utility added so that we can deploy the application on IIS version 7+ as shown below:


image027

  1. Next you will need to add assemblies used by WIF to the assemblies element and add an httpRuntime element as shown below:


image029

  1. Open a file system explorer window and navigate to "C:\Program Files(x86)\Windows Identity Foundation SDK/v4.0/Samples/Quick Start/ClaimsAwareWebAppWithManagedSTS" as shown below:


image031

  1. Select "App_Code" and drag it into Visual Studio. Drop it on "IndlagtePatienter" in the Solution Explorer window. This will add the WIF example code needed to validate the assertion from the Identity Server to the application.


Before dragging in "App_Code"

image033

After dragging in App_Code

image035

  1. Select the application in the Solution explorer window as shown above.

  2. In the Properties window disable Anonymous Authentication and Windows Authentication as shown below:


image037

Task 5. Configuring the Application as a WS-FED Service Provider on the Identity Server



  1. Create a new attribute set for the Service Provider

  2. Add mappings for the attribute "cn" as shown below:


image039

  1. Add a mapping for "All Roles" as shown below:


image041

  1. Add mappings for any other attributes that you would like to send to the application. NOTE: Only "cn" and "All Roles" are needed for this application. Your attribute set should look similar to the one shown below:

  2. Edit your Identity Server configuration and navigate to Identity Servers ---> WS Federation.


image043

  1. Select "New" ---> "Service Provider" and the Service Provider Wizard will open as shown below. Enter the URL of the application into the "Provider ID" and "Sign-on URL" fields. NOTE: This URL must match the one you used on the first page of the Windows Identity Foundation Federation Utility!!


image045

  1. Even though we are not using encryption, the Access Manager Administration Console forces us to select a certificate. Choose any certificate in DER format. This certificate will not actually be used. NOTE: If you did enable encryption when you configured the application you MUST select that same certificate here.

  2. Click "Next" and "Finish" to close the wizard.

  3. Select the new Service Provider then select "Attributes".

  4. In the Attribute set dropdown, select the attribute set you created earlier.

  5. Select the "cn" and "All Roles" attributes to be sent with the authentication as shown below and click "Apply"


image047

  1. Select "Authentication Response"

  2. Click the "Unspecified" radio button and select "Ldap Attribute:cn" as shown below:


image049

  1. Click "Apply".

  2. Click "OK" to close the Service Provider.

  3. Select "Policies" ---> "Master_Container".

  4. Select "New" and then "Identity Server: Roles" in the Type dropdown. Enter a name for the policy.


image051

  1. Click "OK".

  2. In the "Condition Group 1" box select "New" --->"LDAP Group"

  3. In the "Value" field, in the dropdown that shows "[Current]", select the user store ( must be the same one used for the authentication method) and then select the group that will be used to provide access to the application. It should look like the Condition below:


image053

  1. In the Action box, select "Activate Role" and enter the role name to be sent to the application.

  2. Click "OK" twice

  3. Click "Apply Changes"

  4. Edit your Identity Server configuration and select "General" --> "Roles" as shown below:


image055

  1. Select the checkbox next to the new role then select "Enable".

  2. Click "OK".

  3. Update the Identity Server.


Task 6. Add Validation of the Authorization Claim to the Application


At this point, any user that can successfully authenticate will be able to access the application. To restrict access to only members of the selected group, the application will need to validate that a "role" claim with the proper value was received from the Identity Server. The WIF sample application ClaimsAwareWebAppWithManagedSTS has examples of how to access the claims.

 
Labels (1)
Attachments

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments
I Get error
ID1014 : Could Not Parse the WS-Federation Metadata Document There was error deserializing the security key identifier clause XML Please see inner exception for more details
The WIF Federation utility is very picky about the formatting of the metadata. Compare yours to the sample provided to identify any differences. If you still have issues I'd be happy to take a look at your metadata.
Can I send my metadata to you
I fixed the metadata Issue. In Task # 3. Did you create new Visiual Studio Project ??
In the example I was modifying an existing Visual Studio project. The same tasks apply if your creating one from scratch. What was the fix for your metadata?
I compared my metadata with your metadata line by line. Fixed mine. It is accepted by Visual Studio 2010 Prof.
I am doing this in slightly different way. I am making Claim Aware Website on my Windows 2008 R2 Server on IIS 6.0 Server
http://blogs.msdn.com/b/alextch/archive/2011/06/27/building-a-test-claims-aware-asp-net-application-and-integrating-it-with-adfs-2-0-security-token-service-sts.aspx
I have https://ServerName/Site1 . This Site is STS Aware. I have Webconfig.xml File as shown below


Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\v2.x\Config
-->























<!--
The section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->

<!---->




<!--
The section enables configuration
of what to do if/when an unhandled error occurs
during the execution of a request. Specifically,
it enables developers to configure html error pages
to be displayed in place of a error stack trace.





-->




















<!--








-->














<!---->
<!---->
<!---->
<!---->
<!---->
<!---->
<!---->
<!---->
<!---->
<!---->
<!---->
<!---->
<!---->
<!---->
<!---->
<!---->
<!---->
<!---->
<!---->











I get following error:

An Identity Provider response was received that failed to authenticate this session. (300101005-31DE48E3C3946D8E)
I did not find much info inn catalina.out log file.
The first thing to do is use the SSO Tracer extension for Firefox and capture the assertion your sending to IIS. You can also see this in the IDP trace if you set SAML to DEBUG. Note that my instruction above work with IIS7+. IIS 6 configuration is different. Why would you be working with IIS6 since it's obsolete?
IIS 6.0 is old but unfortunately customer web server is based on IIS 6.0 So I used IIS 6.0
Provider ID: https://Win2k8R2WebSP/Site1
Sign on URL : https://Win2k8R2WebSp/Site1

The Metadata:

Metadata
WSFedDescriptor
ID = https://Win2k8R2WebSP/Site1
ssoUrl = https://Win2k8R2WebSp/Site1
KeyDescriptor
use = signing
KeyInfo
X509Data
X509Certificate
MIIGHjCCBQagAwIBAgIKS6sDIAABAAAjrTANBgkqhkiG9w0BAQUFADCBgTETMBEGCgmSJomT8ixk
ARkWA2VkdTEVMBMGCgmSJomT8ixkARkWBXVtaWNoMRMwEQYKCZImiZPyLGQBGRYDbWVkMRYwFAYK
CZImiZPyLGQBGRYGcC11bWhzMSYwJAYDVQQDEx1wLXVtaHMwMS5wLXVtaHMubWVkLnVtaWNoLmVk
dTAeFw0xNTAyMDQxNDA3MjlaFw0xNjAyMDQxNDA3MjlaMCwxKjAoBgNVBAMTIVdJTjI4UjJXRUJT
UC5wLXVtaHMubWVkLnVtaWNoLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA17tUT1H1
O14UuNkP2/VD1iSJmba5ZMP34AiphT3N+tg0iv4jISzXWmnwyyzM1ebG9tt7o5cCMixLFK2D9uJ5
+pKDxilHUAt4aeWZpRzZxpm2k8OxiqJFclBICs0gxYzhiDBdGKi5QTj79CygA5W/ry0Y6gbLJVNh
bbkWkRPB3GkCAwEAAaOCA24wggNqMB0GCSsGAQQBgjcUAgQQHg4ATQBhAGMAaABpAG4AZTAdBgNV
HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMB0GA1UdDgQWBBQURoIkv1iy
HEZjWy70xdRU41sJgjAfBgNVHSMEGDAWgBRfc6EalAFYN7epuEKT9406vM5TbjCCAUkGA1UdHwSC
AUAwggE8MIIBOKCCATSgggEwhoHXbGRhcDovLy9DTj1wLXVtaHMwMS5wLXVtaHMubWVkLnVtaWNo
LmVkdSgxKSxDTj1QLVVNSFMwMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049
U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1wLXVtaHMsREM9bWVkLERDPXVtaWNoLERDPWVk
dT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0
aW9uUG9pbnSGVGh0dHA6Ly9wLXVtaHMwMS5wLXVtaHMubWVkLnVtaWNoLmVkdS9DZXJ0RW5yb2xs
L3AtdW1oczAxLnAtdW1ocy5tZWQudW1pY2guZWR1KDEpLmNybDCCAWAGCCsGAQUFBwEBBIIBUjCC
AU4wgcsGCCsGAQUFBzAChoG+bGRhcDovLy9DTj1wLXVtaHMwMS5wLXVtaHMubWVkLnVtaWNoLmVk
dSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmln
dXJhdGlvbixEQz1wLXVtaHMsREM9bWVkLERDPXVtaWNoLERDPWVkdT9jQUNlcnRpZmljYXRlP2Jh
c2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTB+BggrBgEFBQcwAoZyaHR0cDov
L3AtdW1oczAxLnAtdW1ocy5tZWQudW1pY2guZWR1L0NlcnRFbnJvbGwvUC1VTUhTMDEucC11bWhz
Lm1lZC51bWljaC5lZHVfcC11bWhzMDEucC11bWhzLm1lZC51bWljaC5lZHUoMSkuY3J0MCwGA1Ud
EQQlMCOCIVdJTjI4UjJXRUJTUC5wLXVtaHMubWVkLnVtaWNoLmVkdTANBgkqhkiG9w0BAQUFAAOC
AQEAHNbLCtK85S/TQOdLKge8Wz9bn0O0buoFNer3kIlW4j/fYVJBGSmsY9h8YfmsKlhlpph0noms
SxXZcPYSf7kwkFbno6o4j6B7zoYz7v0vUT3WQslUEQorbG8Q5P51GdfqmuUaaDlAH8IDz3E90okU
jA2XWKz7f3J+JGoWUkH3svFr7MlfTVkkP4Agyv/uK2KTUCkcmy6lMJ0c7AbDdln3bG8ITeXMDFJl
oTyWNqbIkhHD1TL2TPl1JU9DAB0lbRz1ypJWa5TEx67Qb/wxrL6+6m10hOpf7tKcOq6N8lB/6ARS
IolZqZCeva1EAH/lGyCGezqjzim1vxsNtoewuZgRzQ==
EncryptionMethod
Algorithm = http://www.w3.org/2001/04/xmlenc#tripledes-cbc

I am investigating More
Did you use Windows 2012 R2 Server with IIS 7.0 on it.
Actually we are using IIS 7.0. I did not check correctly. In Task 4 Step # 2. Is this needed for IIS7.0 too.
Is Step # 3 Needed for IIS 7.0
Thank you for the post. I've been able to complete all steps. In my web application I have a single default.aspx page. It appears the SampleRequestValidator is expecting some sort of well formed input in the request. Do I need to add some controls on my default.aspx page to pass along? How do I form this? What is needed?
Top Contributors
Version history
Revision #:
3 of 3
Last update:
‎2020-01-31 22:05
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.