locked
SSO with OAUTH2 and WPF client using WAP/ADFS 3.0 RRS feed

  • Question

  • Hi,

    we are trying to implement a sso-solution for WPFClient-ADFS3.0-WAP-WCFService using OAuth2. We followed this instruction from technet:

    1. The app sends an HTTPS request to the AD FS server.

    2. The app uses the web authentication broker to generate a dialog box in which the user enters credentials to authenticate to the AD FS server.Webauthentifizierungsbroker." data-guid="04ab05ce-2d4b-77bd-fa48-f803d4653e5c" id="mt149">For information about web authentication broker, see Web authentication broker.

    3. After successful authentication, the AD FS server creates a combo token that contains the OAuth token and the edge token and sends the token to the app.

    But when we receive the token form ADFS we only get a bearer-type "access-token", no combo token. There is no "proxy-token" or "edge-token" present in the response, so we can't get passed WAP. What are we missing to get the edge token from ADFS?

    Monday, January 25, 2016 8:52 AM

All replies

  • Were you ever able to make this work? I'm struggling with the same problem
    Friday, June 22, 2018 12:17 PM
  • We finally implemented a dirty workaround simulating a passive logon from code. We basically intercept the response from the adfs that contains the login form intended for the browser. Then we submit this form with a http post containing the user/password that we collected before with our own dialog. After that we use the MSAuth-Token from the ADFS to post a dummy request to the WAP to get the actual EdgeAccessToken which we read from the WAP response and store in the client cookie container. With that token we are able to authenticate against the WAP during all service calls that follow.
    Friday, June 22, 2018 12:57 PM
  • Thanks for the response, it helps to shed a little more light on a extremely undocumented feature. So if I understand your answer correctly it's actually WAP that returns the combo token?  How did you request that token?  What did that request look like?
    Monday, June 25, 2018 12:12 PM
  • I suggest you go the same route as I did:
     - publish a WAP application using ADFS authentification
     - Download and run Fiddler on the client machine
     - call the WAP-published application via browser on the client, log in on the ADFS-form
     - look at the https-traffic in Fiddler. You'll see exactly what happens between the client, the WAP and the ADFS-Proxy including all redirects and Cookie transmissions
     - simulate the whole process in your code using some HttpClient-Object. When you get to the point where the EdgeAccessCookie is returned from the WAP you can store this in your cookie container for further access during that session

    Monday, June 25, 2018 12:43 PM