Using multiple ADFS via WsFederation

[charettedavid]

• [X ] I read and understood how to enable logging

  Question / Issue

Hi, we are integrating IS3 in an existing multi-tenant portal.

Our use cases are : A) 1 - Internal user will log via our AD, via our AD FS. 2 - External (client users) will log via there AD via there own AD FS

B) 1 - Internal user will log via our AD, via our AD FS. 2 - External (client users) will log via username/password identity custom userstore, managed by us (classic user management)

• Internal users need SSO
• Each application have its own URL ( {tenant}.portals.mybiz.com )

---

So far i did test each part separately and so far its ok. But i ran into configuration issues when i try to activate 2 AD FS at the same time but only use one at the time according to witch tenant is invoked.

Questions are:

• Is there a way to dynamically allow ADFS bases on something (URL, querystring, etc)? And how to achieve this?

i did try something like this: ` var adfsClient1 = new WsFederationAuthenticationOptions ... var adfsClient2 = new WsFederationAuthenticationOptions ...

app.Map("/SSO/Login/client1/ADFS/Go", configuration => { configuration.UseWsFederationAuthentication(adfsClient1); });

app.Map("/SSO/Login/client2/ADFS/Go", configuration => { configuration.UseWsFederationAuthentication(adfsClient2); }); `

Thank you

Relevant parts of the log file

<log goes here>

[svrooij]

Take a look at the Identity Provider documentation on how to add multiple Identity providers. In your case you should specify AuthenticationType = "adfs-client1" and AuthenticationType = "adfs-client2" to differ between them.

You can then use the AuthenticationType in the Client configuration IdentityProviderRestrictions

You then create a client in your identity server per tenant and specify only their adfs. (e.g. adfs-client1), if only one identity provider is specified (per identityserver client) they will be redirected immediately.

[charettedavid]

Thank you, but in the doc i dont see how to add 2 AD FS, and i read somewhere that we cant simply do : app.UseIdentityServer(idsrvOptions1); app.UseIdentityServer(idsrvOptions2);

it use the last one only.

What you told its exactelly what i'm trying, and i did, but as i said, only the last one added worked!

Any idea or sample with 2 ADFS ?

thanks again

[charettedavid]

You don't think i should configure multiple AD FS with app.Map( ... ) ?

What is should map as mapPath?

Thanks

[leastprivilege]

It's all written down exactly in the docs linked by @svrooij

[svrooij]

Sorry for wrong indentation, but this should work.

// Inside startup class
public void Configuration(IAppBuilder app)
        {
            var options = new IdentityServerOptions
            {
                SiteName = "FHICT Identity server v2",
                SigningCertificate = LoadCertificate(),
                Factory = Factory.Get(),

                AuthenticationOptions = new AuthenticationOptions
                {
                    EnableLocalLogin = true,
                    EnableSignOutPrompt = true,
                    IdentityProviders = ConfigureIdentityProviders,

                }
            };

            app.UseIdentityServer(options);
}

public static void ConfigureIdentityProviders(IAppBuilder app, string signInAsType)
        {
var adfs1 = new WsFederationAuthenticationOptions
            {
                AuthenticationType = "adfs-client1",
                Caption = "Displayname ADFS 1",
                SignInAsAuthenticationType = signInAsType,
                MetadataAddress = "...",
                Wtrealm = realm,
                CallbackPath = new PathString("/core/adfs1"),
          };

app.UseWsFederationAuthentication(adfs1);
var adfs2 = new WsFederationAuthenticationOptions
            {
                AuthenticationType = "adfs-client2",
                Caption = "Display name ADFS 2",
                SignInAsAuthenticationType = signInAsType,
                MetadataAddress = "...",
                Wtrealm = realm,
                CallbackPath = new PathString("/core/adfs2"),
          };
app.UseWsFederationAuthentication(adfs2);

        }

Then you need to set the wsfederation redirect url to https://your.identityserver.com/core/adfs1 or adfs2, this way the identity server knows which ADFS is sending the request.

[leastprivilege]

No this would not work - as explained in the docs, each WS-Fed middleware needs a unique CallbackPath set.

[charettedavid]

Ok, is this done via the app.map?

This is the part im trying to get An example.

Thanks

Le 24 févr. 2016 à 02:06, Dominick Baier notifications@github.com a écrit :

No this would not work - as explained in the docs, each WS-Fed middleware needs a unique CallbackPath set.

— Reply to this email directly or view it on GitHub.

[leastprivilege]

no it isn't.

see our sample host: https://github.com/IdentityServer/IdentityServer3/blob/master/source/Host.Configuration/IdentityServerExtension.cs#L141 https://github.com/IdentityServer/IdentityServer3/blob/master/source/Host.Configuration/IdentityServerExtension.cs#L153

[charettedavid]

Thank you, its working.