ADFS - Web Client Classic

In another post I have examined how to configure ADFS for WebDrawer, the process is very similar for Web Client Classic as can be seen in this video.


Additional steps

Below I list all the configuration that requires modification, in addition to this you also need to:

  • add a relying party trust in ADFS,
  • enable anonymous authentication in IIS, and
  • copy the file System.IdentityModel.Tokens.ValidatingIssuerNameRegistry.dll from your Web Client\bin folder to Web Client Classic\bin.

I look at both of these in the video above.

Config to copy, paste and modify

Overview

All of the modifications are made in the Web Client Classic web.config file.

configSections

Copy this into the configSections element.

<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />

appSettings

Create an appSettings element and replace the URL to our ADFS server with your ADFS server.

<appSettings file="user.config">
    <add key="ida:FederationMetadataLocation" value="https://adfs1.testteam.local/FederationMetadata/2007-06/FederationMetadata.xml" />
</appSettings>

authorization and authentication

These go inside the system.Web element, make sure you remove the existing authentication element.

<authorization>
    <deny users="?" />
</authorization>
<authentication mode="None" />

Modules

Inside the system.webServer/modules element add these two modules.

<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />

WIFHandler

Add this location inside the root (configuration) element.

<location path="WIFHandler">
  <system.web>
    <httpRuntime requestValidationMode="2.0" />
  </system.web>
</location>

webHttpBinding

Find your webHttpBinding element and modify it to look like this.

<webHttpBinding>
<binding name="hptrimBinding" sendTimeout="00.10:00">
    <security mode="Transport">
    <transport clientCredentialType="None"/>
  </security>
</binding>
</webHttpBinding>

system.identityModel

The XML below is taken directly from my web.config file so you will need to find all of the URLs pointing to my Web Client Classic and ADFS server and change them.  You will also need to use the powershell command  Get-AdfsCertificate to get your thumbprint.

<system.identityModel>
    <identityConfiguration>
        <audienceUris>
            <add value="https://rmcloudweb.testteam.local/HPRMWebClientClassic/" />
        </audienceUris>
        <securityTokenHandlers>
            <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
            <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
        </securityTokenHandlers>
        <certificateValidation certificateValidationMode="None" /> 
        <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
            <authority name="http://ADFS1.testteam.local/adfs/services/trust">
                <keys>
                    <add thumbprint="538B9CF4D293995C9406D7EA74C3F7353C5DD62A" />
                </keys>
                <validIssuers>
                    <add name="http://ADFS1.testteam.local/adfs/services/trust" />
                </validIssuers>
            </authority>
        </issuerNameRegistry>
    </identityConfiguration>
</system.identityModel>
<system.identityModel.services>
    <federationConfiguration>
        <cookieHandler requireSsl="true" />
        <wsFederation passiveRedirectEnabled="true" issuer="https://adfs1.testteam.local/adfs/ls" realm="https://rmcloudweb.testteam.local/HPRMWebClientClassic/" reply="https://rmcloudweb.testteam.local/HPRMWebClientClassic/WIFHandler" requireHttps="true" />
    </federationConfiguration>
</system.identityModel.services>