问题
We have an ASP.NET Web Forms(.Net 3.5) website application uses forms authentication. The application has got different customized authentication services which uses different SSO methods(eg. CAS) to validate user, those were implemented for different clients. Now the requirement is to implement an AD FS based authentication service with out making core changes to the Forms Authentication configurations.
My questions:
- How to configure SAM in .Net 3.5 website
- Instead of redirecting to STS, is it possible to pass user name and password from my login page to AD FS proxy and get saml response?
- My intention is to read a custom attribute value(eg. Employ number) from the saml response and proceed with the current authentication module. Is it possible?
This question is based on a discussion in AD FS and forms Authentication, any help will be greatly appreciated.
回答1:
The snippet I posted as an answer in the previous question should more or less work under .net 3.5 (some apis have changed but not that much so you couldn't figure it out)
Although this is possible, I guess this is a bad idea. This is because ADFS could be configured to use some other means of authentication than username/password. For example, they could enable windows integrated authentication. Or they could delegate the authentication to another provider that uses two-factor auth involving text messages. All this means it is more reliable to follow the passive ws-fed, where your app redirects to the login page of the provider rather than passing the username/password collected by your app to the provider.
The SAML validation in the snipped ends up with the
ClaimsIdentitythat represents the principal from the token. This is where you just enumerate claims and search for the one you want:var identity = .. Validate saml token .. foreach ( var claim in identity.Claims ) if ( claim.Type == employee number claim type ) Use the claim to establish a local forms auth session
来源:https://stackoverflow.com/questions/36655009/configure-wif-for-ad-fs-with-forms-authentication