Building a test claims-aware ASP.NET application and integrating it with ADFS 2.0 Security Token Service (STS)
We will need an ADFS (STS) in order to provide authentication services for our application.
Install IIS on the application server
In addition to the defaults add ASP.NET and accept the required prerequisite services to be added.
Also select IIS 6 Management Compatibility required by Visual Studio for publishing sites to IIS.
Create a DNS Alias for the Web Server host
In principal this is an optional step, since you could use the physical name of the server when requesting an SSL certificate for your application server. There are scenarios though when creating an alias might be required. For example if you are planning to publish this application through Unified Access Gateway you will need to ensure that the domain portion of the subject filed of the application server certificate matches that of the UAG trunk certificate. In general it is a good idea to leverage aliases as opposed physical names.
Request a certificate for the Application Web Server
Add HTTPS Binding on the Application Web Server
Install Visual Studio 2010 on the Application Web Server
Alternatively you could create an application from your workstation and publish it to the web server.
Install Windows Identity Foundation and Windows Identity Foundation SDK
Windows Identity Foundation needs to be installed on the application server. If you are developing from your workstation install this component there as well.
SDK only needs to be installed on the box where you do development.
Create a test WIF Enabled ASP.NET Application
The Claims-aware ASP.NET Web Site Template is added by WIF SDK.
Setup a trust relationship from the application to the STS (ADFS) service by adding STS reference to the project.
It is important that the application URI matches what users will type to access the application as well as the subject filed of the certificate assigned to the IIS server.
Disabling certificate validation and not enabling encryption options are only acceptable in a test environment.
For the chain validation to succeed you would need to ensure that CRL Distribution points of the signing CA of the SSL certificates are accessible by the ADFS server.
Build Web Site
Change Application Pools Settings
Make sure that the .NET version utilized by the pool matches the Windows Identity Framework version you downloaded (in my case I am using WIF for .NET 4).
Load User Profile advanced setting needs to be set to TRUE in order for the Web Server to be able to perform cryptographic functions while communicating with the ADFS server.
Create Relying Party Trust on ADFS server for the test application
Click on Next and then Close to launch Claims Edit Dialog.
Click on Add Rule
The choice of claims on the screenshot is arbitrary, you could choose any other claims and map them to the corresponding AD LDAP attributes and they will be sent to the application in a SAML token.
Click on Finish and then Ok
Test authentication to the application
Before testing ensure that the client trusts and can check the CRL distribution points of the SSL certificates assigned to the web and ADFS servers. Alternatively you could disable the CRL check on the browser.
If the client is in the same forest as the ADFS Server and you would like to achieve SSO than add the domain space in which the Web and ADFS servers reside to the Local Intranet zone.
If everything worked properly you should expect to see something similar to the screenshot above.