MVC 4 web application using ADFS to authenticate users from different organisations

Question

I have a web application developed using ASP.NET 4.5 and MVC 4. It originally used Form Authentication for users to log in, however, we are moving it to ADFS (WS Federation) authentication. The idea is users from my organisation (Org 1) and another organisation (Org 2) will be able to log in using ADFS (ws-fed). ADFS is set up so when you navigate to the web application's URL it is redirected to ADFS log in screen. At this point, it displays an option for the two organisations, Org 1 and Org 2. If you belong to Org 1, click this button and the user has to enter their username and password. The same thing happens if you click Org 2 button. The ADFS servers in Org 1 and Org 2 have exchanged metadata/certificates and the claim values.

When a user from Org 1 logs in, there is no problem, after successful ADFS authentication, they are redirected back to the Web application with the required Claims (the web app uses the info in these claims). However, when user from Org 2 logs in, they are authenticated but their Claims aren't reaching the web application.

Does the web application need configured to work with both ADFS servers from Org 1 and Org 2? My original thoughts were Org 1 (my own organisation), would handle all the ADFS authentication. The web app would point to it, and when a user from Org 2 tries to log in, our ADFS would redirect the request to Org 2 and then Org 2 would send the claims back to our originsation ADFS server and it would redirect back to the application with the Claims? Am I wrong in thinking this?

Answer 1

No, that's correct.

Two possibilities:

• Org2's ADFS has the wrong claims rules
• Your ADFS has no pass-through claims rules. You need these rules on your CP (for Org2) and for your RP

It needs these rules to pass through what it receives from Org2.