In part 1 of this series I briefly gave an overview of the ADFS / WS-Trust infrastructure. In part 2 we created a basic WCF service that uses ADFS for authentication. This part will walk you through the steps to register the service in ADFS 2.
I could provide screenshots for all the wizard pages here – but since this is really easy – I just go through the necessary steps in textual form.
Step 1 – Select Data Source
Here you can decide if you want to import a federation metadata file that describes the service you want to register. In that case all necessary information is inside the metadata document and you are done. FedUtil (a tool that ships with WIF) can generate such metadata for the most simple cases. Another tool to create metadata can be found here. We choose ‘Manual’ here.
Step 2 – Specify Display Name
I guess that’s self explaining.
Step 3 – Choose Profile
Choose ‘ADFS 2 Profile’ here.
Step 4 – Configure Certificate
Remember that we specified a certificate (or rather a private key) to be used to decrypting incoming tokens in the previous post. Here you specify the corresponding public key that ADFS 2 should use for encrypting the token.
Step 5 – Configure URL
This page is used to configure WS-Federation and SAML 2.0p support. Since we are using WS-Trust you can leave both boxes unchecked.
Step 6 – Configure Identifier
Here you specify the identifier (aka the realm, aka the appliesTo) that will be used to request tokens for the service. This value will be used in the token request and is used by ADFS 2 to make a connection to the relying party configuration and claim rules.
Step 7 – Configure Issuance Authorization Rules
Here you can configure who is allowed to request token for the service. I won’t go into details here how these rules exactly work – that’s for a separate blog post. For now simply use the “Permit all users” option.
OK – that’s it. The service is now registered at ADFS 2. In the next part we will finally look at the service client.