Re: ADFS with ASP application

---

• From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 10 Jan 2007 11:08:00 -0600

---

Did you try the token test page I have here:

http://www.joekaplan.net/DiscoveringTheUsersNameAndGroupsInTheirWindowsToken.aspx

I like it better than the approach Nick outlines, although either should
work.

In a token-based app, the token can be mapped from the ADFS SAML token in
one of two ways. ADFS will either find the user's UPN in SAML token and
look up that user in AD and create a Windows token for that user (with all
of their groups) using protocol transition/S4U (or the custom auth package
if your AD in 2000 instead of 2003 FFL), OR ADFS will look at the SAML token
and attempt to build a custom Windows token based on the group claims in
token that correspond to organizational claims in the resource federation
server that map to resource groups in AD.

This mapping is often referred to as "shadow users" or "shadow groups" in
the ADFS docs and presentations.

When you log in with a user defined in the resource federation server's user
store, only the direct user mapping will be performed, but if you log in
with a user from an external account partner, the type of mapping done is
configured in the properties for the account partner in the resource
federation server and you have 4 options on that tab.

If you go with shadow users, the user's UPN in the SAML token must exist in
the resource federation server's AD and if you go with shadow groups, the
SAML token must contain at least 1 group claim that maps to an
organizational group claim with mapping to a security enabled group in AD.

This part of ADFS is really powerful, but also very confusing, so hopefully
this helps and doesn't confuse you more. :)

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<viveque.kumar@xxxxxxxxx> wrote in message
news:1168411494.482859.284300@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Hi Joe,

We were facing issues with setting up the undermentioned page itself,
the 'sids' object is coming up as null .

I think we are stuck with Claims as far as setting up ADFS in
conjunction to the step-by-step guide. I am now using the
non-sharepoint token-based app setup as described in Nick's blog. We
get till the discovery page and after selecting the realm, asp error
page appears where in it says the credentials could not be verified at
the resource partner adfs web site.

Will setting up claims only as much is asked in the step-by-step
document suffice? I read in some posts of your's that you don't quite
follow that and set up UPN-UPN claims instead, could you pls help me
set up the claims? In production we will need group mapping but for now
I am ok with any setting.

Another question is what should be the security level at ADFS site,
when it gets installed (after installing ADFS) the default permissions
are anon on both the sites, but that does not work and the error
description on the adfs error page prompts to set it to Integrated,..
Just wanted to make sure it is expected to be set at that??

Thanks a lot,
- Vivek

Joe Kaplan wrote:

The first thing I'd do is set up the test page that I discuss in this
blog
posting so you can see what Windows token is being created by ADFS as a
result of the federated login. That will help you figure out what's
going
on so you can apply that knowledge to to the ASP app (which is likely
more
difficult to troubleshoot as you don't has this kind of easy access to
the
authenticated user's token like you do in .NET).

http://www.joekaplan.net/DiscoveringTheUsersNameAndGroupsInTheirWindowsToken.aspx

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
<viveque.kumar@xxxxxxxxx> wrote in message
news:1168277603.416111.172830@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Hi Joe,
I followed the step by step guide to achieve the token-based
authentication but we were not successful in doing so. Could you mail
me some steps that you might have tried on your own.

Thanks in advance,
Vivek

Joe Kaplan wrote:

ADFS can work here if you use the Windows token model for integration
(using
the stuff integrated into the IIS MMC UI). In that mode, ADFS can
work
with
any app that runs on IIS. The app doesn't need to be .NET 2.0
(although
.NET 2.0 must be installed on the machine for ADFS to be installed and
used).

You would change the setting in IIS from integrated to anonymous, but
ADFS
would actually create a Windows token for you with the ADFS agent and
the
app would continue to function as if it was working like integrated
auth.

The real trick here is coming up with a viable strategy for how you
want
to
map user tokens (shadow users or shadow groups).

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
<viveque.kumar@xxxxxxxxx> wrote in message
news:1168012536.605350.251840@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Hi,

We have a legacy ASP application and we are looking at SSO for an
integration project.

Our application works on Integrated authentication mechanism and the
requirement is that users from other domains when accessing this
application need not sign in again.

So after some research I stumpled upon ADFS to achieve this.

My question is this, given the above scenario, will ADFS work here?
Doesn't ADFS require ASP.NET applications?
Will the application security settings need to be changed from
Integrated to Anonymous?

TIA,
- Vivek

.

---

• Follow-Ups:
  • Re: ADFS with ASP application
    • From: rajendersaini

• References:
  • ADFS with ASP application
    • From: viveque . kumar
  • Re: ADFS with ASP application
    • From: Joe Kaplan
  • Re: ADFS with ASP application
    • From: viveque . kumar
  • Re: ADFS with ASP application
    • From: Joe Kaplan
  • Re: ADFS with ASP application
    • From: viveque . kumar

• Prev by Date: Re: AD Permissions for WebDav
• Next by Date: Re: Can't stop PASSWORD EXPIRING message.
• Previous by thread: Re: ADFS with ASP application
• Next by thread: Re: ADFS with ASP application
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: ADFS with ASP application ... Mapping an incoming group claim to a user in the resource forest is one way ... Joe Kaplan-MS MVP Directory Services Programming ... able to bypass ADFS to get into the application. ... map user tokens. ... (microsoft.public.windows.server.active_directory) Re: ADFS with ASP application ... incoming group claim to user on resource computer .Is it correct? ... able to bypass ADFS to get into the application. ... It is generally much easier to troubleshoot this with a claims app first ... map user tokens. ... (microsoft.public.windows.server.active_directory) Re: ADFS with ASP application ... I have used shadow group mapping. ... I have gone through logs on both adfs server it seems that clients adfs ... Joe Kaplan wrote: ... map user tokens. ... (microsoft.public.windows.server.active_directory) Re: ADFS with ASP application ... If ADFS is properly enabled on the resource application, ... Joe Kaplan-MS MVP Directory Services Programming ... map user tokens. ... (microsoft.public.windows.server.active_directory) Re: ADAM account store in ADFS ... have you read the ADFS ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... To add the app pool identity to the readers role in ADAM, ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2007-01