0

I'm creating a web application that will be used by users that are included in an Active Directory.

Before we were connecting our app directly to the ad using LDAPS. My Client is now using ADFS and want to close the LDAPS "gateway"

I'm kind of lost, but here is my comprehension :

The ADFS will be on the same domainController as the AD. Since my web app is on another server also on another domain, my client will have to specify that the claims made from my server are trusted.

So here is my question :

1 - What does my client have to do in adfs ?

  • I saw the notion of relying party, but is this notion only used if I have also ADFS install on my server ? or am i in the right direction ?

2- Do I need to install anything on my server ?

  • I think my client will need to give me a certificate so my call are trusted.
  • Do I have to install ADFS to my server, the claims will be made between adfs(s) ?
  • Do I need to install an ADFS proxy ?

Thanks in advance, im kind of more lost than before the beginning of my search.

P.S. I can't use the integrated visual studio tool to connect to ADFS because I have a mixed authentification (Database and ADFS)

GregM
  • 51
  • 4

2 Answers2

1

You really should look for developers guidance in stackoverflow than the it pro view on serverfault.

Client will be the identity provider ad fs who validates credentials. they will install ad fs and create a relying party that points to your app.

You will need on your server (relying party) some middleware like wif or owin to consume incoming token and code your app to be claims aware.

I suggest reviewing https://msdn.microsoft.com/en-us/library/hh873308(v=vs.110).aspx which shows how wif is used in a scenario like this.

maweeras
  • 2,674
  • 2
  • 16
  • 23
1

Assume ADFS / AD is domaina. You app. is domainb.

  • What does my client have to do in adfs ?

You need to configure your client as a RP in ADFS. How you configure it depends on the protocol you want to use. You have a choice of:

  1. WIF
  2. WS-Fed via OWIN
  3. SAML via OWIN
  4. OpenID Connect / OAuth via OWIN (ADFS 4.0)

You don't need to install ADFS on domain B.

  • Do I need to install anything on my server ?

In domainB? No. If you want to use a proxy, that's installed on domaina.

Note that because your app. is in a different domain and therefore not domain joined, you will not be able to use IWA. You will use FBA.

rbrayb
  • 1,098
  • 1
  • 12
  • 20