This project has moved. For the latest updates, please go here.

Need to work with SAML 2.0

Nov 13, 2015 at 3:45 PM
I have a Relying party app setup in ADFS. I used this to get it going:

I also have a Claims Provider trust setup and they only want to use SAML 2.0 for claims passing. They also use ADFS (both on Windows 2012 R2). Our trusts are established and authentication works (they gave me a "dummy user" in their AD to test with).

I THINK my claims rules are setup appropriately for both the CP and RP sides of the house but let me tell you what seems to be happening. Maybe I'm missing something here.

When browsing to my RP app, I can choose the CP from HRD and get a valid login. My app says the user is authenticated but no explicit claims are being passed into the app (I am just spitting out all claims right now). I can see that the "authenticationmethod" claim is urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport.

We have agreed on E-mail and Given Name as claims. Here's the setup:
  • Claims Provider Trust claims
    Email pass-through
    Given Name Pass-through
  • Relying party trust claims
    Email Transform Rule (incoming: E-mail Address, Outgoing: E-mail Address)
    Given Name Transform Rule (incoming: Given Name, Outgoing: Given Name)
I did have e-mail and given name pass through rules set on the RP but thought I needed to change them.

Using SAML trace, I only see SAML going over the wire when I go to my IdpIntitiatedSignon.aspx page and sign-in to the CP. If I browse to my RP, it's just the WS-Fed being used.

Can I tell the RP in ADFS to only use SAML 2? Can I configure Katana to say "Use SAML2"?

I thought the two ADFS's would negotiate that so I didn't have to explicitly worry about SAML 2 in my app. But it seems like the claims get "lost" somehow...

Thanks for reading and any advice / pointers you can share. I feel like I'm so close.