Wednesday, January 27, 2016

WIF : IDPInitiated and a WS-Fed application

I discussed IDPInitiated here:

ADFS : SAML redirect to application via relayState and loginToRp 

I've been looking at a case where IDPInitiated is used to a WS-Fed application.

The use case is:

IDP --> SAML --> ADFS --> WS-Fed --> Application

IDPInitiated is a SAML feature not supported in WS-Fed but it works in ADFS if you use the RPID construct.

If you set the RPID to the identifier of an RP in ADFS, the user will use IDPInitiated on their IDP to authenticate and this will go to ADFS, ADFS will see they are authenticated and pass the token onto the RP seamlessly.

However, you will get:

ID4216: The ClaimType '' must be of format 'namespace'/'name'.

The reason is discussed here:

AD FS 2.0: The Admin Event Log Shows Error 111 with System.ArgumentException: ID4216

Essentially, WS-Fed uses a SAML 1.1 token  and SAML 2.0 uses a SAML 2.0 token and SAML 1.1 is far stricter on the claim type.

It requires:

<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
    <AttributeValue> tom@abc.com </AttributeValue>
</Attribute>

Instead of:

<saml:Attribute Name="EmailAddress"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue      xsi:type="xs:string">tom@abc.com</saml:AttributeValue>
</saml:Attribute>

Note the difference in the attribute name formats.

Apart from this WIF breaks because all the classes expect the stricter URI form.

To sort this out:

On the IDP side, just pass everything through:

c:[]
 => issue(claim = c);


On the RP side, you needs to do a pass-through but using a custom rule e.g.

c:[Type == "EmailAddress"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", Value = c.Value);


That will keep WIF happy :-)

Enjoy!

No comments: