30 June 2014

WebAPI and ADFS as external login provider

Setting up ADFS

For these steps, I presume that you are running ADFS 3 on Windows Server 2012 R2 and that it has been already installed and configured.

Setting up the Relying Party Trust

  1. Open ADFS Managememt
  2. Expand ‘Trust Relationships’ and click on ‘Relying Party Trusts’.


  1. Click on ‘Add Relying Party Trust’ in the right hand panel.


  1. Click ‘Start’ and on the next page select ‘Enter data about the relying party manually’ before clicking ‘Next’.
  2. Enter a display name for the relying party (e.g. the name of the application) and click ‘Next’.
  3. Ensure the ‘AD FS profile’ is selected and click ‘Next’.
  4. Ignore the optional token encryption certificate, and click ‘Next’.
  5. On the next page check the box for WS-Federation, and enter your WS-Federation endpoint. Click ‘Next’.


  1. Add your identifier for the relying party. This is usually the web address for the application (e.g. https://app.example.com). Click ‘Next’.
  2. Ensure ‘I do not want to configure multi-factor authentication’ is selected and click ‘Next’.
  3. Ensure ‘Permit all users to access this relying party’ is checked and click ‘Next’.
  4. On the next page, click ‘Next’, followed by ‘Close’ on the next step.

Adding claims

  1. Right click on the relying party in the trusts dialog, and click ‘Edit claim rules’.


  1. Click on ‘Add rule’, and ensure trhat ‘Send LDAP Attributes as Claims’ is selected in the drop down. Click ‘Next’.
  2. Add a name for the rule, for example ‘Email address’ and select ‘Active Directory’ as the attribute store.
  3. In the mapping panel, select ‘Email Addresses’ from the LDAP Attribute selector, and ‘Email Address’ in the claim type.


  1. Click ‘Finish’.
  2. Repeat steps 13 to 17 for each claim type you would like to send to the relying party (e.g. Given name and Surname).
  3. Close the relying party dialog by clicking ‘OK’.

N.B. For WebAPI to work out of the box, you will need to add a ‘Name ID’ claim type for the user. For example:


Adding ADFS as a authentication provider in Web API

  1. Open your Startup.Auth.cs file and add the following:

     // Add ADFS to our list
     var adfsOptions = new WsFederationAuthenticationOptions()
         Wtrealm = "{application-uri}",
         MetadataAddress = "https://{adfs-server-uri}/federationmetadata/2007-06/federationmetadata.xml",
         Caption = "ADFS for Darb.io",
         AuthenticationType = "DARBIO.Federation",
         AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive

Linking up to Web API external login


← Back