Wednesday, October 21, 2015

ADFS : Customising ADFS functionality

This post is NOT about customising the look and feel - it's about customising what ADFS actually does.

ADFS 2.0 was built on IIS and was basically a web site so you had the opportunity to adapt the web pages and change some of the flow.

ADFS 3.0 does not use IIS - it's built on top of http.sys so there are no web pages to alter.

Essentially, it's locked down and there's no way in.

So if you need to alter the flow in some way, what can you do?

I've been involved in two projects recently where this was required.

For a WS-Federation project, I added thinktecture's identityserver into the pipeline. This can be both an IDP and a RP. Essentially, it was a proxy.

So RP <--> IdSrv2 <--> ADFS.

It's open source so you can alter the code. It wasn't used for local authentication but rather for pass-through.

You can capture the request on both the up and down stream tracks and alter as required.

For a SAML-P project, I added ComponentSpaces's SAML stack into the pipeline. This can be both an IDP and a SP. Essentially, it was a proxy. (Note this is commercial).

So SP <--> ComponentSpace <--> ADFS.

It's not open source but they provide both IDP and SP examples. You can pretty much merge the two examples together. It wasn't used for local authentication but rather for pass-through.

You can capture the request on both the up and down stream tracks and alter as required.

Enjoy!

No comments: