Conditional authentication with ADFS

Question

We have a semi-public .Net web site (hosted on our server) that needs to authenticate with a client's ADFS.

We'd like to redirect to the ADFS authentication site 'when needed' and redirect back to one page in our site.

Our page would need to extract the user information and establish session. Is this in the claim? How do we get this information?

When redirecting to the ADFS authentication site we'd like to pass information that will be returned back to us.

Is this possible?

Any information you can provide is greatly appreciated. We've been looking everywhere and can't seem to find this scenario.

Thanks!

Answer 1

Our page would need to extract the user information and establish session. Is this in the claim? How do we get this information?

With AD FS it is possible to configure what kind of information is sent back to your application when you configure a relying party on AD FS server. It is called Claim Issuance Policy:

Here you can configure the rules to send the values of LDAP attributes as claims:

Now, when you decode a SAMLResponse in your application you will see a user profile with the attribute you configured for that particular relaying party. Something like (note, in my sample above I configure ADFS to send UPN and Groups):

{
    "issuer": "http://fs.mysite.com/adfs/services/trust",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": 
    "aduser@mysite.com",
    "http://schemas.xmlsoap.org/claims/Group": [
        "Group 1",
        "Group 2"
    ]
}

When redirecting to the ADFS authentication site we'd like to pass information that will be returned back to us.

Is this possible?

Yes, you can use RelayState. It is a parameter which you pass to AD FS and which is returned back to your application unchanged together with SAMLResponse.