Build a web application using OpenID Connect with AD FS 2016 and later

Article
09/24/2021
2 minutes to read

Pre-requisites

The following are a list of pre-requisites that are required prior to completing this document. This document assumes that AD FS has been installed and an AD FS farm has been created.

GitHub client tools
AD FS in Windows Server 2016 TP4 or later
Visual Studio 2013 or later.

Create an Application Group in AD FS 2016 and later

The following section describes how to configure the application group in AD FS 2016 and later.

Create Application Group

In AD FS Management, right-click on Application Groups and select Add Application Group.
On the Application Group Wizard, for the name enter ADFSSSO and under Client-Server applications select the Web browser accessing a web application template. Click Next.
Copy the Client Identifier value. It will be used later as the value for ida:ClientId in the applications web.config file.
Enter the following for Redirect URI: - https://localhost:44320/. Click Add. Click Next.
On the Summary screen, click Next.
On the Complete screen, click Close.

Download and modify sample application to authenticate via OpenID Connect and AD FS

This section discusses how to download the sample Web APP and modify it in Visual Studio. We will be using the Azure AD sample that is here.

To download the sample project, use Git Bash and type the following:

git clone https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect

Screenshot of a terminal window that shows how to download the sample project.

To Modify the app

Open the sample using Visual Studio.
Rebuild the app so that all of the missing NuGets are restored.

Open the web.config file. Modify the following values so the look like the following:

<add key="ida:ClientId" value="[Replace this Client Id from #3 in above section]" />
<add key="ida:ADFSDiscoveryDoc" value="https://[Your AD FS hostname]/adfs/.well-known/openid-configuration" />
<!--<add key="ida:Tenant" value="[Enter tenant name, e.g. contoso.onmicrosoft.com]" />
<add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}" />-->
<add key="ida:PostLogoutRedirectUri" value="[Replace this with Redirect URI from #4 in the above section]" />

Screenshot that highlights the changes made to the web dot config file.

Open the Startup.Auth.cs file and make the following changes:

Comment out the following:

//string Authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);

Tweak the OpenId Connect middleware initialization logic with the following changes:

private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
//private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
//private static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];
private static string metadataAddress = ConfigurationManager.AppSettings["ida:ADFSDiscoveryDoc"];
private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];

Screenshot that shows how to change the Open I D Connect middleware initialization logic.

Further down, modify the OpenId Connect middleware options as in the following:
```
app.UseOpenIdConnectAuthentication(
    new OpenIdConnectAuthenticationOptions
    {
        ClientId = clientId,
        //Authority = authority,
        MetadataAddress = metadataAddress,
        PostLogoutRedirectUri = postLogoutRedirectUri,
        RedirectUri = postLogoutRedirectUri
```
By changing the above we are doing the following:
- Instead of using the Authority for communicating data about the trusted issuer, we specify the discovery doc location directly via MetadataAddress
- Azure AD does not enforce the presence of a redirect_uri in the request, but AD FS does. So, we need to add it here