IdentityServer4 with optional External ADFS for some client configurations

Question

So we are using IdentityServer4 for our web applications, all is good.

We have a new requirement from a client to allow them to perform SSO via their ADFS system using WsFederations, we already provide this for another one of our older web applications that is not tied into IdentityServer4 yet.

Ideally we would like to tie WsFedereration into IdentityServer4 so it is in one place.

Does anyone know if it possible to use IdentityServer4, so we redirect to IdentityServer4, identity that this particular client (possibly via an alternative URL), then IdentityServer4 authenticates against ADFS, collects the claims (probably basic, e.g. email/username/etc) , and we then supplement them with additional claims for access, and pass back to the web application.

What I'm trying to achieve ideally is to not change the existing Web Application, and to sort the plumbing at IdentityServer4, and the Web Application wouldn't know or care if this user was IdentityServer4 only or IdentityServer4 + WsFederation. This would be useful for other clients across our applications to easily integrate in the future.

Alternatively I could deploy another version of the Web Application that authenticates directly with my clients ADFS system. However this seems a waste of server resources/maintenance for just one small client.

I had a look at the external options (where you click google on or near the IdentityServer4 Login Screen), is there a way to automatically redirect to the ADFS without event seeing the IdentityServer4 implemented Login screen.

Is this possible?

Thanks, Jon

Answer 1

This was released 2017, see the example at https://github.com/IdentityServer/IdentityServer4.WsFederation