Authentication using AD FS

The AdfsSecurityManager allows you to use federated authentication using a Windows ADFS service. It will utilize the WS-federation passive authentication protocol.

This guide will provide instructions on how to set up the ImageVault UI site as a relying party for a ADFS service infrastructure.

Limitations

This security manager does not support user/group lookup. You can manually enter group/user names to give access to these identities but you will not get to select between the users/groups in the AD.

Prerequisites

This instruction requires the following.

• Working ADFS service
• Installed ImageVault UI site (either as stand alone or as a virtual application below an Episerver site)
• SSL to the ImageVault UI site. The ADFS requires that a relying party uses encrypted traffic.
• Traffic using non SSL is redirected to the designated SSL address (see Redirect HTTP to HTTPS)

Preparation

Before you begin you need to prepare some information that will be used to setup the configuration

Federated metadata URL

The ADFS service provides meta data about its services. These meta data can be retrieved from the service using a special URL. On an ADFS service this URL on the format below. (replace the sts.mydomain.com with the correct URL of your ADFS service URL)

https://sts.mydomain.com/FederationMetadata/2007-06/FederationMetadata.xml

This URL needs to be accessible (anonymously) from the ImageVault UI server.

Application URL

This is the URL of the ImageVault UI application. Should always use the HTTPS protocol and end with a forward slash (/)

Example:

https://mysite.com/ImageVault/

Setup ADFS Relying Party Trust

You first need to add a Relying Party Trust in your ADFS service for the ImageVault UI application.

This is done using the AD FS Management tool. (short instructions below) More instructions can be found at http://www.cloudidentity.com/blog/2014/02/12/use-the-on-premises-organizational-authentication-option-adfs-with-asp-net-in-visual-studio-2013/

• Add Relying Party Trust...
• Use the manual method
• Enter any name (preferably the Application URL above)
• Enable support for the Ws-Federation passive protocol and enter the Application URL as relying party WS-Federation Passive protocol URL.

When the relying party trust is set up you also need to configure the claim rules to at least include the following claims

• User principal name (will identify the user)
• Name ID (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier) (can be mapped to UPN)
• Name (will be the visible user name)
• Role (include as many as needed, used for role based authorization)
• Email (optional)

Note

These claims must also be passed along to the site that any ImageVault client (for example the Episerver plugin) is running on (if that client is using ADFS)

Setup ImageVault UI

Make sure that you have the ImageVault.Adfs.Providers.dll in your ImageVault UI bin folder.

To configure the ImageVault UI to use ADFS authentication you modify the web.config file.

Authentication

To use the authentication method, set the authentication mode to None.

ConnectionStrings

To instruct ImageVault to use your ADFS server, add/modify the connection string named ImageVaultSecurityManager.

providerName

The providerName for this connectionString should be

ImageVault.Adfs.Providers.AdfsSecurityManager,ImageVault.Adfs.Providers

connectionString

The connection string consists of a set of semicolon separated key=value pairs. The following keys must be specified

wtrealm

This should be the same as the Application URL

metadata

This should be the same as the Federated meta data URL

Example

The example below summarizes the needed web.config changes.

<configuration>
    <connectionStrings>
        <add name="ImageVaultSecurityManager"
                providerName="ImageVault.Adfs.Providers.AdfsSecurityManager,ImageVault.Adfs.Providers"
                connectionString="wtrealm=https://mysite.com/ImageVault/;Metadata=https://sts.mydomain.com/FederationMetadata/2007-06/FederationMetadata.xml"/>
    </connectionStrings>
    <system.web>
        <authentication mode="None" />
    </system.web>
</configuration>

Troubleshooting

ADFS logs

If you get an error while logging in using ADFS, the ADFS server might have recorded something interesting. To access the ADFS logs, open Event viewer and navigate to "Application and Service Logs" -> "AD FS" -> "Admin".

Redirect HTTP to HTTPS

If you try to access the site using a non SSL configured port you will get an error upon logging in on the ADFS. To avoid this, add a redirect to the web.config stating that all traffic using non SSL traffic is redirected to the SSL port.

<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Redirect to https">
                    <match url="(.*)"/>
                    <conditions>
                        <add input="{HTTPS}" pattern="Off"/>
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}"/>
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>