Tuesday, June 27, 2017

IdentityServer and ADFS

Leave a Comment

I'm trying to setup IdentityServer to use ADFS for authentication. The flow will be:

User -> Custom app -> IS -> ADFS

I've setup almost everything, but I'm stuck at the communication between IS and ADFS. The user seems to login successfully in ADFS, but I get an error:

ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier

when I get back to IS.

It's obvious that there's an issue with the token signing certificates in one side or the other. I've tried unsuccessfully to find some documentation explaining the relation between different certificates.

Right now I have a self signed certificate in IS that is signing tokens (set up using SigningCertificate property of IdentityServerOptions) and I have a AD certificate configured in ADFS to sign tokens.

Is there any guide or recommendation on how to properly do it? Should it be the same in both or should I configure something else to make it work?

EDIT With Fiddler I can see that everything inside ADFS runs fine and the error is when the results are posted to IdentityServer. The XML posted in wresult param is:

<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">   <t:Lifetime>     <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-06-20T12:25:31.148Z</wsu:Created>     <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-06-20T13:25:31.148Z</wsu:Expires>   </t:Lifetime>   <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">     <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">       <wsa:Address>urn:identityServer</wsa:Address>     </wsa:EndpointReference>   </wsp:AppliesTo>   <t:RequestedSecurityToken>     <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_fd1a14cd-4d18-407b-97d4-9f9dfcacd29a" Issuer="http://ssosrv.mydomain.com/adfs/services/trust" IssueInstant="2017-06-20T12:25:31.148Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">       <saml:Conditions NotBefore="2017-06-20T12:25:31.148Z" NotOnOrAfter="2017-06-20T13:25:31.148Z">         <saml:AudienceRestrictionCondition>           <saml:Audience>urn:identityServer</saml:Audience>         </saml:AudienceRestrictionCondition>       </saml:Conditions>       <saml:AttributeStatement>         <saml:Subject>           <saml:NameIdentifier>user@mydomain.com</saml:NameIdentifier>           <saml:SubjectConfirmation>             <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>           </saml:SubjectConfirmation>         </saml:Subject>         <saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">           <saml:AttributeValue>name.surname@mydomain.tv</saml:AttributeValue>         </saml:Attribute>         <saml:Attribute AttributeName="name" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">           <saml:AttributeValue>Name Surname</saml:AttributeValue>         </saml:Attribute>         <saml:Attribute AttributeName="upn" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">           <saml:AttributeValue>user@mydomain.com</saml:AttributeValue>         </saml:Attribute>       </saml:AttributeStatement>       <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" AuthenticationInstant="2017-06-20T12:25:31.039Z">         <saml:Subject>           <saml:NameIdentifier>user@mydomain.com</saml:NameIdentifier>           <saml:SubjectConfirmation>             <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>           </saml:SubjectConfirmation>         </saml:Subject>       </saml:AuthenticationStatement>       <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">         <ds:SignedInfo>           <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />           <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />           <ds:Reference URI="#_fd1a14cd-4d18-407b-97d4-9f9dfcacd29a">             <ds:Transforms>               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />             </ds:Transforms>             <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />             <ds:DigestValue>6CeXXXXXXXXXXXXXXXXXXXX=</ds:DigestValue>           </ds:Reference>         </ds:SignedInfo>         <ds:SignatureValue>q9hJBFFFFFFFFFFFFFFFFFFFF==</ds:SignatureValue>         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">           <X509Data>             <X509Certificate>MIIFnzXXXXXXXXXXXXXXXXXXXX</X509Certificate>           </X509Data>         </KeyInfo>       </ds:Signature>     </saml:Assertion>   </t:RequestedSecurityToken>   <t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>   <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>   <t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType> </t:RequestSecurityTokenResponse> 

Thank you, Albert

2 Answers

Answers 1

Solved it. It was not related with ADFS integration, but how I had setup federation authentication in Identity Server. I was using two federation authentication identity providers: this one with ADFS and another using WinAuth. Without a callback the response from ADFS was being handled by WinAuth, so I configured different callbacks for each of them and it's working.

Answers 2

From memory:

  • You need to convert the IS certificate to .cer format.
  • In mmc, right click on the certificate and “All Tasks” / “Export”.
  • Click through Export Wizard selecting: “No, do not export the private key”. “DER encoded binary X.509 (.CER)”.
  • Select file name to export to and “Save”.
  • Review options and “Finish”.
  • In the ADFS wizard, import the .cer file into the Certificates tab.
If You Enjoyed This, Take 5 Seconds To Share It

0 comments:

Post a Comment