• Question

  • We have ADFS configured with SAML WebSSO on the corporate network and we want to enable SAML_P 2.0 SSO for an asp.net mvc(VS 2013) app running on cloud. We could see that mvc in this version support both Azure AD based SSO and on premise ADFS SSO. I also read that there is no SAML library from Microsoft. So my questions are:

    1) Does the above mentioned mvc version supports only ws-federation? Because I am finding only two parameters while configuring the adfs using mvc template-such as federation metadata URL and web app ID, there is no option to specify call back URL or SAML service uri

    2) If we cannot go for SAML SSO directly from asp.net mvc app running on cloud with on premise ADFS without installing anything additional, can we setup an ADFS on cloud with a trust defined for on-premise adfs?in that case the flow should be cloud mvc app-cloud ADFS-onPremise ADFS. In that case, what federation meta data should be used in the asp.net mvc app? Of the cloud ADFS or on-premise adfs and what metadata should be shared with on premise adfs? My expectation here is that, since .net lacks a SAML library, MVC app can to send ws-federation data which will be transformed into SAML by cloud adfs and then orward to on premise adfs. Pls note that the cloud is not Azure and we dont want to go for Azure AD(unless it is totally free :)

    I prefer the option one to work, if not the second. If both the options are not possible I want to consider open source SAML solutions for .net such as Shibboleth or Kentor. 

    G K

    Thursday, July 27, 2017 1:47 AM

All replies

  • The first question is why do you have to use SAML for the MVC application?

    Why not WS-Fed / OpenID Connect / OAuth?

    ADFS 4.0 supports all the above.

    Thursday, July 27, 2017 2:21 AM
  • We currently use SAML_P. I guess adfs 3 onwords supports SAML_p

    G K

    Thursday, July 27, 2017 4:51 AM
  • You use SAML-P where? To federate with other IDP? To authenticate with Java Spring SAML application?

    Just because you use SAML somewhere else, doesn't mean you have to use it for this application.

    Thursday, July 27, 2017 8:17 AM