You are on page 1of 6

4/14/2014

Home Realm Discovery In WIF And ADFS 2.0 By Query String jon torresdal
About Contact

Home Realm Discovery In WIF And ADFS 2.0 By Query String


19. April 2010 Update 2011-09-29: For a recent project at work I actually had to look at my own blog post to see how I solved this and it turned out to be wrong (I guess I didnt use the RTW at the time, because I do remember it was working back then).

SEA RCH

Recent Posts
How ConDep came to life

You dont actually need any of the stuff in the HomeRealmDiscovery class, so just delete whatever is in there (just leave the class definition). For your aspx file, the only thing you need is the div with your message, and that should be all. If youre using asp.net in your RP, the event in global.asax.cs dont actually have to be hooked up in Application_Start either. Just leave the RedirectingTo method in there and asp.net will pick that up based on module convention (since the WSFederationAuthenticationModule is registered in your application, by convention asp.net looks in global.asax for WSFederationAuthenticationModule_[eventName]). When working with passive federation you quickly run into Home Realm Discovery (HRD) (I couldnt help notice that the short name became HRD which reads HARD :-) ). Anyways, HRD is about which identity provider (IP-STS) should authenticate the user and
Introducing ConDep Lightning Talk: Why you shouldnt track bugs How Do We Track Bugs? Check In a Failing Test! Stepping Down from NNUG Bergen, Still Chairman of

how to properly redirect the user to their home IP-STS. One example where HRD comes into play is when an organization have multiple NNUG National partners that authenticate using their own internal STS. An example of that is illustrated in Figure1 below:

Archives
March 2013 February 2013 November 2012 January 2012 June 2011 May 2011 September 2010 August 2010

Figure 1 The Default Behavior Using ADFS 2.0 as RP-STS you will by default be presented with this screen when you have trusts to one or more IP-STSs:

June 2010 April 2010 March 2010 February 2010 January 2010 December 2009 August 2009 July 2009 June 2009

Figure 2 Home Realm Query String You probably do not want to reveal all of your federated partners like this. A better solution is to add a query string to the application URL where you specify the home realm, like this: https://someWebApp/?whr=[Home Realm URI) If the home realm (IP-STS) is ADFS 2.0, and using the URLs from Figure1 above, the URL would be: https://rp.mydomain.com/?whr=https://ip-sts.partner1domain.com/adfs/services/trust Let WIF Know About WHR In order for your RP-STS to receive the whr parameter and automatically redirect the user to his home realm, you need to plug into the WIF pipeline of your application. You can do this very easily by editing your Global.asax.cs and listen to the RedirectingToIdentityProvider

May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008

http://blog.torresdal.net/2010/04/19/home-realm-discovery-in-wif-and-adfs-2-0-by-query-string/

1/6

4/14/2014
event like this:
u s i n gM i c r o s o f t . I d e n t i t y M o d e l . W e b ; . . .

Home Realm Discovery In WIF And ADFS 2.0 By Query String jon torresdal
September 2008 August 2008 July 2008 June 2008

p r o t e c t e dv o i dA p p l i c a t i o n _ S t a r t ( o b j e c ts e n d e r ,E v e n t A r g se ) {

May 2008 April 2008

March 2008 F e d e r a t e d A u t h e n t i c a t i o n . W S F e d e r a t i o n A u t h e n t i c a t i o n M o d u l e . R e d i r e c t i n g T o I d e n t i t y P r o v i d e r+ =n e wE v e n t H a n d l e r ( W S F e d e r a t i o n A u t h e n t i c a t i o n M o d u l e _ R e d February 2008 } January 2008 December 2007 v o i dW S F e d e r a t i o n A u t h e n t i c a t i o n M o d u l e _ R e d i r e c t i n g T o I d e n t i t y P r o v i d e r ( o b j e c ts e n d e r ,R e d i r e c t i n g T o I d e n t i t y P r o v i d e r E v e n t A r g se ) November 2007 { e . S i g n I n R e q u e s t M e s s a g e . H o m e R e a l m=R e q u e s t [ " w h r " ] ; } July 2007 June 2007 October 2007 September 2007 August 2007

Remove The Manual Home Realm Selection From ADFS The next thing you probably want to do is prevent the RP-STS of displaying its home realm selection page. I didnt find clear guidance of how to do this, but I found a solution that works. In the ADFS web folder of the RP-STS (C:\inetpub\adfs\ls\) you can edit the HomeRealmDiscovery.aspx and HomeRealmDiscovery.aspx.cs to display a message to the user and remove the dropdown for selecting home realm. In HomeRealmDiscovery.aspx I removed the < d i vc l a s s = " G r o u p X X L a r g e M a r g i n " >section and changed the message The site that you are accessing to something more informative. In the HomeRealmDiscovery.aspx.cs page I commented out everything related to the PassiveIdentityProvidersDropDownList control.

May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006

Categories
.Net ADFS Agile Ajax Architecture Articles ASP.NET ASP.NET-MVC Blogging Books BPEL CleanCode CloudComputing Community ContinuousDelivery

http://blog.torresdal.net/2010/04/19/home-realm-discovery-in-wif-and-adfs-2-0-by-query-string/

2/6

4/14/2014

Home Realm Discovery In WIF And ADFS 2.0 By Query String jon torresdal
ContinuousDeployment CSharp

< % @P a g eL a n g u a g e = " C # "M a s t e r P a g e F i l e = " ~ / M a s t e r P a g e s / M a s t e r P a g e . m a s t e r "A u t o E v e n t W i r e u p = " t r u e " C o d e F i l e = " H o m e R e a l m D i s c o v e r y . a s p x . c s "

DasBlog V a l i d a t e R e q u e s t = " f a l s e " I n h e r i t s = " H o m e R e a l m D i s c o v e r y "T i t l e = " S i g nI n " % > Database DDD

Deployment < % @R e g i s t e rT a g P r e f i x = " a d f s "N a m e s p a c e = " M i c r o s o f t . I d e n t i t y S e r v e r . W e b . U I "a s s e m b l y = " M i c r o s o f t . I d e n t i t y S e r v e r "% > DevOps < % @O u t p u t C a c h eL o c a t i o n = " N o n e "% > DSL Events < a s p : C o n t e n tI D = " C o n t e n t 1 "C o n t e n t P l a c e H o l d e r I D = " C o n t e n t P l a c e H o l d e r 1 "R u n a t = " S e r v e r " > < s c r i p tt y p e = " t e x t / j a v a s c r i p t "s r c = " F e d e r a t i o n P a s s i v e J S c r i p t . j s " > s c r i p t > < d i vc l a s s = " G r o u p X L a r g e M a r g i n " > ExtremeProgramming Fun Gadgets

IIS T h es i t et h a ty o ua r ea c c e s s i n gr e q u i r e sH o m eR e a l mD i s c o v e r yt os i g ni n .P l e a s ec o n t a c ty o u rs y s t e ma d m i n i s t r a t o rf o rf u r t h e rd e t a i l s . InfoQ d i v > Java

< a s p : P a n e lI D = " C a r d S i g n I n P a n e l "V i s i b l e = " F a l s e "r u n a t = " s e r v e r "C s s C l a s s = " G r o u p X X L a r g e M a r g i n " > O r ,< ah r e f = Kanban " # "o n c l i c k = " I n f o c a r d L i n k _ o n c l i c k ( i n a >w i t ha nI n f o r m a t i o nC a r d . < a d f s : I n f o r m a t i o n C a r d C o n t r o lI D = " I n f o r m a t i o n C a r d "r u n a t = " s e r v e r " > a d f s : I n f o r m a t i o n C a r d C o n t r o l > < s c r i p t > A d d O n l o a d (L o a d C a r d P a n e l) ; s c r i p t > NNUG a s p : P a n e l > a s p : C o n t e n t > Other Patterns Performance Scrum Lean Linq MemoryLeaks Microsoft MVC NDC

HomeRealmDiscovery.aspx
/ / / /C o p y r i g h t( c )M i c r o s o f tC o r p o r a t i o n . A l lr i g h t sr e s e r v e d . / / -

Security Silverlight Software TeamManagement TechEd Testing

u s i n gS y s t e m ;

Tools TvGuide

u s i n gM i c r o s o f t . I d e n t i t y S e r v e r . W e b . C o n f i g u r a t i o n ; u s i n gM i c r o s o f t . I d e n t i t y S e r v e r . W e b . U I ;

Uncategorized Vista VisualStudio

/ / /

WCF Web

/ / /T h i sp a g ee n a b l e sh o m er e a l md i s c o v e r yi ft h i sS T Si sc o n f i g u r e dt ot r u s tm u l t i p l ec l a i m sp r o v i d e r s . / / /

WebDeploy WIF

http://blog.torresdal.net/2010/04/19/home-realm-discovery-in-wif-and-adfs-2-0-by-query-string/

3/6

4/14/2014

Home Realm Discovery In WIF And ADFS 2.0 By Query String jon torresdal
Windows

/ / /I ft h ep e r s i s t I d e n t i t y P r o v i d e r I n f o r m a t i o ns e t t i n gi se n a b l e da n dt h eu s e rh a sp r e v i o u s l y WiX / / /s e l e c t e dac l a i m sp r o v i d e r ,t h a tc l a i m sp r o v i d e rw i l lb eu s e da u t o m a t i c a l l y . / / / Work Workflow

Meta
p u b l i cp a r t i a lc l a s sH o m e R e a l m D i s c o v e r y:M i c r o s o f t . I d e n t i t y S e r v e r . W e b . U I . H o m e R e a l m D i s c o v e r y P a g e { p r o t e c t e dv o i dP a g e _ I n i t (o b j e c ts e n d e r ,E v e n t A r g se) { / / P a s s i v e I d e n t i t y P r o v i d e r s D r o p D o w n L i s t . D a t a S o u r c e=b a s e . C l a i m s P r o v i d e r s ; / / P a s s i v e I d e n t i t y P r o v i d e r s D r o p D o w n L i s t . D a t a B i n d ( ) ; Log in Entries RSS Comments RSS WordPress.org

i f (I s I s s u e d T o k e n V i a S e l e c t o r E n a b l e d ( )) { I n f o r m a t i o n C a r d . T o k e n S u b m i t t e d+ =T o k e n S u b m i t t e d ; C a r d S i g n I n P a n e l . V i s i b l e=t r u e ; } }

p r i v a t eb o o lI s I s s u e d T o k e n V i a S e l e c t o r E n a b l e d ( ) { f o r e a c h (A u t h e n t i c a t i o n T y p e E l e m e n ta u t h e n t i c a t i o n T y p ei nF e d e r a t i o n P a s s i v e C o n f i g u r a t i o n S e c t i o n . C u r r e n t . A u t h e n t i c a t i o n T y p e s) { i f (a u t h e n t i c a t i o n T y p e . N a m e= =" I s s u e d T o k e n V i a S e l e c t o r ") { r e t u r nt r u e ; } }

r e t u r nf a l s e ; }

p r o t e c t e dv o i dT o k e n S u b m i t t e d (o b j e c ts e n d e r ,I n f o r m a t i o n C a r d C o n t r o l . T o k e n S u b m i t t e d E v e n t A r g se) { S i g n I n (e . T o k e n) ; }

http://blog.torresdal.net/2010/04/19/home-realm-discovery-in-wif-and-adfs-2-0-by-query-string/

4/6

4/14/2014

Home Realm Discovery In WIF And ADFS 2.0 By Query String jon torresdal

/ / p r o t e c t e dv o i dP a s s i v e S i g n I n B u t t o n _ C l i c k (o b j e c ts e n d e r ,E v e n t A r g se) / / { / / / / } } S e l e c t H o m e R e a l m (P a s s i v e I d e n t i t y P r o v i d e r s D r o p D o w n L i s t . S e l e c t e d I t e m . V a l u e) ;

HomeRealmDiscovery.aspx.cs You then get a page like this if no whr is provided:

Anything I can do about that URL? If you dont want your users to relate to the rather cryptic URL needed to support HRD there are several ways to make it a bit more user friendly. I will give a few suggestions here, but there are probably other (and maybe better) solutions than I can come up with right now. Provide a shortcut on your users desktop or similar and have them use this to access the application Detect by IP range and redirect to proper IP-STS Provide a nice URL redirect either from the Relying Party (application) or IIS. E.g. https://someWebApp/YourCompany/ redirects to https://rp.mydomain.com/?whr=https://sts.yourCompany.lan/adfs/services/trust One thing to note if you have the default settings in the web.config file for your RP-STS, specifically the set to true, is when a user have been redirected correctly to his/her home realm the RP-STS will issue a cookie to the user which contains the users home realm. If the user at a later time access the application from its root URL, he will be automatically redirected to his home realm. This is however only true as long as the cookie has not expired or the user uses the same computer as he did when the cookie was issued. Because of this I prefer sticking to one of the solutions above and not rely on the users having this cookie.

2 Comments

Tw eet

Short Url http://wp.me/p2sO8g-7k

2 Comments

http://blog.torresdal.net/2010/04/19/home-realm-discovery-in-wif-and-adfs-2-0-by-query-string/

5/6

4/14/2014

Home Realm Discovery In WIF And ADFS 2.0 By Query String jon torresdal

Jeremy
The RedirectingToIdentityProvider event handler needs to be hooked up in an override of
JUN

29 HttpApplication.Init(), not in Application_Start. The HttpModule that the event is fired from has not necessarily

been loaded when Application_Start fires (it seems to never be in Cassini).


Reply

maccarvind
Thanks Jon,
NOV

4 This post was really useful and solved most of my problems during integration. Except the below one.

I have the below setup, - WIF RP which points to RP-STS - RP-STS (Hybrid model ADFS 2.0 with AD account store) - IP-STS (ADFS 2.0) From your example I can make my application directly point to IP-STS server for authentication, bypassing / supressing RP-STSs HRD page using the whr querystring. My requirement is to point to RP-STS account store using whr querystring. (Without making any change to the ADFS 2.0 code). - How to find the identifier for RP-STS account store, - I have tried urn:federation:self but it isnt working. thanks in advance.
Reply

Tumblog WordPress Themes by

http://blog.torresdal.net/2010/04/19/home-realm-discovery-in-wif-and-adfs-2-0-by-query-string/

6/6