TAGS :Viewed: 11 - Published at: a few seconds ago

[ trying to implement SSO for dynamics 2011 w/ ADFS 2.0 claims- claims not being passed through ]

I'm trying to implement an SSO for microsoft dynamics 2011 as described in this (very poorly written) walkthrough.
I've configured my ASP.NET website as a relying party in ADFS manager, and followed the instructions to add an STS reference.
I've defined an issuance transform rule for the UPN field in ADFS.

In my ASP.NET application, when doing this-
IClaimsIdentity claimsIdentity = ((IClaimsPrincipal)(Thread.CurrentPrincipal)).Identities[0]; I do get an instance of Microsoft.IdentityModel.Claims.ClaimsIdentity, however, its Claims collection is empty.

I've noticed, however, that the FederationMetadata.xml generated by the 'add sts' wizard only contains 2 <auth:ClaimType> elements- for name and role, both optional=true.
However, if I try to manually edit and update my relying party's FederationMetadata.xml to add upn as a claim type, or to make one of the existing claim types non-optional, I encounter the following error- ID6018 Digest verification failed....
If I revert back to 'optional=true' for both, the error doesn't occur.

Can anyone provide any insight as to how to get the UPN field to my ASP.NET app?
Also, better how-to's / walkthroughs than the one I've mentioned would be greatly appreciated.

I'm not really sure what further information to supply here, so i'll just post my application's FederationMetadata.xml:

&lt;?xml version="1.0" encoding="utf-8"?&gt;

&lt;EntityDescriptor ID="_bad84517-5281-47e8-be9d-2e1a78eae772" entityID="https://MyAspnetSite.com:4455/"
                  xmlns="urn:oasis:names:tc:SAML:2.0:metadata"&gt;
  &lt;ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"&gt;
    &lt;ds:SignedInfo&gt;
      &lt;ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /&gt;
      &lt;ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /&gt;
      &lt;ds:Reference URI="#_bad84517-5281-47e8-be9d-2e1a78eae772"&gt;
        &lt;ds:Transforms&gt;
          &lt;ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /&gt;
          &lt;ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /&gt;
        &lt;/ds:Transforms&gt;
        &lt;ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /&gt;
        &lt;ds:DigestValue&gt;
          eWoZYLA/oMNMWd+S9m0TlbIg2rUSuumAckA0BTdAqbg=
        &lt;/ds:DigestValue&gt;
      &lt;/ds:Reference&gt;
    &lt;/ds:SignedInfo&gt;
    &lt;ds:SignatureValue&gt;
      yMubsY42ZblFDP4ZFEO06uT317c/xdMUF7PrOhPpShkDtbigg1TWq3tGYEa35+xpfjqQCseHJH07ftkxOH6t0u6ngqbGCmZ4yaOBTA3bdbGMGull6WwLSQIxNn2eR1mRzyF2mIM3t4Jfl6EoOZ0msnsyUTVI9Oq03eFweDN2zoI=
    &lt;/ds:SignatureValue&gt;
    &lt;KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"&gt;
      &lt;X509Data&gt;
        &lt;X509Certificate&gt;
           certificate data
        &lt;/X509Certificate&gt;
      &lt;/X509Data&gt;
    &lt;/KeyInfo&gt;
  &lt;/ds:Signature&gt;
  &lt;RoleDescriptor xsi:type="fed:ApplicationServiceType"
                  protocolSupportEnumeration="http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/ws-sx/ws-trust/200512"
                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706"&gt;
    &lt;KeyDescriptor use="encryption"&gt;
      &lt;KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"&gt;
        &lt;X509Data&gt;
          &lt;X509Certificate&gt;

           certificate data
          &lt;/X509Certificate&gt;
        &lt;/X509Data&gt;
      &lt;/KeyInfo&gt;
    &lt;/KeyDescriptor&gt;
    &lt;fed:ClaimTypesRequested&gt;
      &lt;auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="false"
                      xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" /&gt;
      &lt;auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="false"
                      xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" /&gt;
      &lt;auth:ClaimType Uri="http://schemas.microsoft.com/ws/2005/05/identity/claims/upn" Optional="false"
                      xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" /&gt;
    &lt;/fed:ClaimTypesRequested&gt;
    &lt;fed:TargetScopes&gt;
      &lt;EndpointReference xmlns="http://www.w3.org/2005/08/addressing"&gt;
        &lt;Address&gt;
          https://MyAspnetSite.com:4455/
        &lt;/Address&gt;
      &lt;/EndpointReference&gt;
    &lt;/fed:TargetScopes&gt;
    &lt;fed:ApplicationServiceEndpoint&gt;
      &lt;EndpointReference xmlns="http://www.w3.org/2005/08/addressing"&gt;
        &lt;Address&gt;
          https://MyAspnetSite.com:4455/
        &lt;/Address&gt;
      &lt;/EndpointReference&gt;
    &lt;/fed:ApplicationServiceEndpoint&gt;
  &lt;/RoleDescriptor&gt;
&lt;/EntityDescriptor&gt;

Answer 1


You can't modify the FederationMetadata document directly because it is digitally signed. If you do, it will be rejected by ADFS, as it believes it has been tampered with.

Anyway, the metadata doc doesn't control what claims are being issued in ADFS. In addition to adding the RP, you need to create rules in ADFS that define what claims will be issued for this RP.

This other doc for CRM explains how to do it.

Answer 2


Well, for the benefit of the poor souls that may encounter this in the future, I'll document what the problem was for me:
The 'Add STS reference' wizard has altered my web.config in a wrong way.

I don't know why that is, perhaps it's because I had a pre-existing <system.serviceModel> section, but the wizard added the <claimTypeRequirements> section and all sorts of other stuff under <system.serviceModel> \ <bindings> \ <ws2007FederationHttpBinding> which didn't really seem to do anything.
I ended up deleting it and manually adding the appropriate <microsoft.identityModel> section.
That seemed to have done the trick.