Simple WebDrawer ADFS

Background

Setting up a connection between WebDrawer and one of our lab ADFS servers is something I only do occasionally.   Now I am documenting it for the next time I do it.  This is a very simple setup so I do not promise that it will work the same in your environment.

Watch me

The config

Here I detail the various changes made to the WebDrawer web.config in the previous video.

configSections

We identify the two sections we will be configuring later in web.config in the configSections element (usually at the top of web.config)

<configSections>
  ...
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
  
</configSections>

appSettings

In appSettings we provide the location of the ADFS metadata to allow WebDrawer to interrogate this later.

<appSettings file="user.config">
...
<add key="ida:FederationMetadataLocation" value="https://adfs1.testteam.local/FederationMetadata/2007-06/FederationMetadata.xml" />
  
</appSettings>

authorization

Here we deny access to anonymous users (thus requiring authentication and disable standard windows authentication.

<authorization>
   <deny users="?" />
</authorization>
<authentication mode="None" />

system.IdentityModel

I usually add the system.IdentityModel section just before system.webServer, although I believe it may go anywhere.

<system.identityModel>
<identityConfiguration>
  <audienceUris>
    <add value="[Your WebDrawer URL]" />
  </audienceUris>
  <securityTokenHandlers>
    <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
  </securityTokenHandlers>
  <certificateValidation certificateValidationMode="None" /> 
  <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
    <authority name="http://[Your ADFS Server]/adfs/services/trust">
      <keys>
      </keys>
      <validIssuers>
        <add name="http://[Your ADFS Server]/adfs/services/trust" />
      </validIssuers>
    </authority>
  </issuerNameRegistry>
</identityConfiguration>
</system.identityModel>

modules

The modules go inside system.webServer, I usually place them just after the handlers.

<modules>
  <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
  <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
</modules>

WIFHandler

I add this location to avoid a validation error triggered by the re-direct back from the ADFS login page.

<location path="WIFHandler">
  <system.web>
    <httpRuntime requestValidationMode="2.0" />
  </system.web>
</location>

system.identityModel.services

<system.identityModel.services>
  <federationConfiguration>
    <cookieHandler requireSsl="true" />
    <wsFederation passiveRedirectEnabled="true" issuer="https://[Your ADFS Server]/adfs/ls" realm="[Your Realm]" reply="https://[Your WebDrawer URL/WIFHandler" requireHttps="true" />
  </federationConfiguration>
</system.identityModel.services>