5

I'm trying to setup integrated OWIN WS-Federation (ADFS) authentication in a new MVC 5 project in Visual Studio 2013. WsFederation in Startup.Auth is configured as follows: 

app.UseWsFederationAuthentication(wtrealm: "MyRealm",
               metadataAddress: "https://myADFSInstanceHost/FederationMetadata/2007-06/FederationMetadata.xml");

Federation button at login page works fine. ADFS login page is achievable, i can log in there. Required cookies seems to being set properly. At least there is passed .AspNet.ExternalCookie cookie. But when callback to mvc app is performed, in ExternalLoginCallback controller AuthenticationManager.GetExternalLoginInfoAsync() returns always null.

Grigory Belkin
  • 69
  • 3
  • 4
    When I ran into this problem it turned out that the ADFS server wasn't returning the expected claim (`NameIdentifier`, e.g. Name ID in ADFS). Adding this claim to the ADFS setup fixed things. – BrianS Mar 20 '15 at 20:28
  • 3
    You could also customize the `ExternalLoginCallback` method as in [this question](http://stackoverflow.com/a/19573137/264628). Instead of looking for `Claims.NameIdentifier` you would look for the claim actually passed back by ADFS. – BrianS Mar 20 '15 at 20:32

1 Answers1

0

I know this is an extremely old post, but I've been working on this issue for a week and this is the ONLY resource I've found that provided any sort of help.

The comments on the original post provided exactly what I needed. In order for GetExternalLoginInfo to work, a claim of type NameIdentifier must be present. I was able to mock one of these in Startup.Auth.cs using the following code:

app.UserWsFederationAuthentication(
    new WsFederationAuthenticationOptions
    {
        Wtrealm = realm, //defined earlier
        MetadataAddress = adfsMetadata, //also defined earlier

        Notifications = new WsFederationAuthenticationNotifications()
        {
            SecurityTokenValidated = notification =>
            {
                ClaimsIdentity identity = notification.AuthenticationTicket.Identity;

                //loop through all the claims returned (this should return everything set up in ADFS)
                foreach (var claim in notification.AuthenticationTicket.Identity.Claims)
                {
                    if (claim.Type == ClaimTypes.Upn) //or whatever claim type you want to use as your name identifier
                    {
                        //This line will add a duplicate claim, giving it the specified type. This NEEDS TO BE `NameIdentifier`
                        identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, claim.Value));
                    }
                }
                return Task.FromResult(0);
            }
        }
    });
Clint Warner
  • 1,265
  • 1
  • 9
  • 25