December 21, 2015 at 1:45 pm #6614
I currently have a number of .Net web applications using ADFS3 for authentication. I’m just looking at how to setup OpenAM to act as the Identity Provider for a .Net web application, with the long term goal to migrate away from ADFS.
I’m struggling to get OpenAM to generate some metadata that will work with a .Net app, in the same way I have done this with ADFS.
Is anyone able to offer any guidance on this? Or is the recommended approach to use the Fedlets instead?
For info I have enabled ssoadm.jsp and used the export-entity option. However using either a saml or wsfed IDP it doesnt seem to generate metadata that my .Net apps are able to use.
ThanksDecember 22, 2015 at 6:00 pm #6636Rogerio RondiniParticipant
I don`t understand the last paragraph “However using either a saml or wsfed IDP it doesnt seem to generate metadata that my .Net apps are able to use.“. Did you tried to use that in your application and got some error ?
Anyway, Fedlet is the easy way to do that. You will need to setup OpenAM as a Hosted IDP, and than configure the Fedlet as SP. After that, you need to download .NET Fedlet and embed into your application using the generated Fedlet metadata.
Rogério.January 4, 2016 at 10:25 am #6695
Hi, many thanks for your reply.
To expand on the issue of the meta data in the .Net apps, as it appeared to be possible to setup a hosted IDP using WSFed I was hoping that it would be possible to simply point a .Net application to the metadata for the OpenAM IDP instead of our existing ADFS server, then everything else remain the same. However, here is what happens:
1. Setup a new hosted IDP using WSFed.
2. Accessed the meta data URL using the guidance from this blog post (is this still correct?):
3. Setup a new .Net web application in Visual Studio and pointed it the URL of this meta data.
Howver this then produced the following error “ID1018: The WS-Federation metadata document does not contain a security token service descriptor”
I will have a play with setting up a Fedlet and see how these work, however was really hoping to migrate from ADFS to OpenAM with as minimal change as possible to existing applications, so if there is a way to make this worth using WSFed and .Net apps I would be interested.June 29, 2016 at 4:38 pm #11719regi4lifeParticipant
Could you resolve your problem ? Nowadays, i got the same problem. I could generate my metadata for my hosted WS-FED IDP on OpenAM, unfortunately this metadata could not be loaded in Visual Studio (my .Net App) because the matadata is not correct.
Please, could you help ?
ReginalJune 30, 2016 at 10:27 am #11730
As I was coming from a .Net background already using ADFS I was trying to use the WS-Fed protocol, however in the end I had so much trouble trying to get this to work I ended up going the SAML2 route.
It looked like .Net didn’t fully support the SAML2 protocol completely, so I ended up using this 3rd party library to handle the SAML2 bits:
This allowed us to continue with some MVC .Net web apps in the same way we were using ADFS. I dropped the following NuGet packages into the app:
Kentor.AuthServices Kentor.AuthServices.HttpModule Kentor.AuthServices.Mvc
Then simply had to add some config to the web.config file, such as:
<kentor.authServices entityId="https://mywebapplication.com/" returnUrl="https://mywebapplication/"> <identityProviders> <add entityId="https://openam.example.com:443/openam" metadataUrl="https://openam.example/openam/saml2/jsp/exportmetadata.jsp?entityid=https://openam.example:443/openam&realm=/" loadMetadata = "true" allowUnsolicitedAuthnResponse="true"> <signingCertificate fileName="~/certificate.cer" /> </add> </identityProviders> </kentor.authServices> <system.identityModel /> <system.identityModel.services> <federationConfiguration> <cookieHandler requireSsl="false" name="SampleMvcAppilcationAuth" /> </federationConfiguration> </system.identityModel.services>
Values will obviously be different, but hopefully this may help!
You must be logged in to reply to this topic.