1

I am trying to capture a SAML token that my ADFS login gives me. I need to capture the SAML by browsing to the ADFS login page, Let the user login and then when login is successful return the SAML back to the application. The application tehn calls a WCF service passing the SAML token in the header. I have a Url like :

https://adfs.mydomain/adfs/ls/IdpInitiatedSignOn.aspx?RedirectToIdentityProvider=http://adfs.mydomain/adfs/services/trust&loginToRP=https://bcjbsj.com/client-api/api/saml

I need to get this working wither in a windows application or console application. If this is not possible I can create a ASP .NET application also for testing. I have gone though many links but not able to find anything that helps.

I may be missing something here. Quite new to authentication. Any help or pointers would be helpful.

Shankar
  • 841
  • 1
  • 13
  • 39

2 Answers2

1

This is easily accomplished using a technique (occasionally) called JavascriptNotify. The basic idea is to display a WebBrowser control that you extend via javascript to allow callbacks to your app code once authentication is complete. You need to provide either centrally or packaged with your app an SP-STS that presents the home realm discovery page and the final jsnotify page. The rest of the UI is handled by the trusted STS's. You can optionally use Azure ACS to fill this role.

See Authenticating Users from Passive IPs in Rich Client Apps – via ACS or Access Control Service: Transitioning between Active and Passive Scenarios for what the call sequence looks like.

Call sequence showing Azure ACS being used to authenticate from a desktop client

To understand how to add the required window.external methods, see Invoke C# code from JavaScript in a Document in a WebBrowser. Thinktecture has an example client in WPF implementing javascriptnotify with JST.

As @Thuan mentions, the other option would be to abandon WS-Federation passive authentication in favor of WS-Trust active authentication. The downside in this approach is that it is far less flexible, and you must implement the client-side UI yourself. Having written apps that implemented both WS-Trust and WS-Fed RP's, I highly recommend WS-Fed passive authentication even for desktop apps.

Mitch
  • 21,223
  • 6
  • 63
  • 86
  • That's really awesome :D I get so used to the approach used for enterprise rich client applications that I didn't notice those "flows" :) Learned something new. – Thuan Aug 11 '17 at 02:55
0

That endpoint is used for passive login (aka via browser) scenarios. For Windows application or console, WS-Trust is a more appropriate approach. In short, your application uses WS-Trust protocol to call ADFS to get a token that can be used to access a WCF service. Such a WCF service is called claim-based service or claim-aware service. This question has a bunch of good links: WCF, Claims, ADFS 3.0

Thuan
  • 1,618
  • 1
  • 10
  • 21