Most people who have attended one of my sessions, know I love to show off the power of claims using the ClaimsApp. This web app is not very fancy, but it does a heck of a job, just by displaying all the claimtypes possible, or configured for the Relying Party Trust (RPT) in Active Directory Federation Services (AD FS), in a table.
I’ve explained how to set this up over at 4Sysops.com.
About the ClaimsApp
The ClaimsApp is barely more than the PassiveRedirectBasedClaimsAwareWebApp example from the .NET Framework 3.5 Windows Identity Framework (WIF) Software Deployment Kit (SDK), configured for authentication from your Security Token Service (STS), based on Active Directory Federation Services (AD FS).
I intentionally change nothing to this app, or make it available in any other way than to download the official Microsoft bits, so the entire process is as clear as can be. Of course, you can customize the app as much as you want to.
Requirements for the ClaimsApp
You’ll need the following items to create your own ClaimsApp:
- A Windows Server 2012 R2 installation with an Internet connection, available to the Internet using TCP443.
- The .NET Framework 3.5 Windows Identity Framework (WIF) SDK
- The SXS folder from the Windows Server 2012 R2 DVD
- A valid TLS certificate for Server Authentication and Client Authentication for your ClaimsApp URI, for instance www.domain.tld. The built-in WebServer certificate template will suffice. The certificate is added to the Personal store of the Web Server hosting the ClaimsApp, with the private key, any required trusted root certification authorities and any required intermediate certification authorities.
- An Azure Active Directory Premium (P1) subscription, or up.
Setting up the ClaimsApp
The following steps will help set up the ClaimsApp:
Setup the Web Server
- On a Windows Server 2012 R2-based server installation, while logged with an account with Administrator privileges, go to Server Manager.
- In the top grey pane, click Manage and then select Add Roles and Features from the context menu.
- Click Next > on the Before You Begin page of the Add Roles and Features Wizard.
- Click Next > on the Select Installation Type page to accept the Role-based or feature based installation option.
- Click Next > on the Select Destination Server page.
- On the Select Server Roles page, select Web Server.
Click on Add Features.
Click Next >.
- On the Select Features page, select Windows Identity Foundation 3.5.
Click Next >twice.
- Scroll down. Expand Application Development and select Asp.Net 3.5.
Click on Add Features.
Click Next >.
- Before you click Install, follow the Specify Alternate Source Path link. Specify the path to the Windows Server 2012 R2 SXS folder.
- After installation, click Close on the Installation Progress page.
Configure the Web Server
- From Server Manager, in the grey top bar, select Tools and then click Internet Information Services (IIS) Manager.
- In the left pane, click the server’s name to expand it.
- Click Cancel in the pop-up window that asks if you want to get started with Microsoft Web Platform to stay connected with latest Web Platform Components.
- In the left pane, also expand Sites, and then select the Default Web Site.
- In the right Actions pane, follow the Bindings… hyperlink.
- Add… a binding.
- In the Add Site Binding window, select https as the Type.
- Select the www.domain.tld TLS certificate.
Replace domain.tld with your domain information.
- Click OK.
- Click Close to close the Site Bindings window.
- In the left pane, select Application Pools.
- On the main window, select the DefaultAppPool.
- In the right pane, click the Basic Settings… hyperlink.
- Select .NET CLR Version v2.0…. for the .NET CLR version:. Click OK.
- In the right pane, click the Advanced Settings… hyperlink.
- On the Advanced Settings window, scroll down a tad.
- Change the value for Load User Profile from False to True.
- Click OK to close the Advanced Settings window.
- In the left pane, right-click Default Web Site and select Add Application… from the context menu.
- Specify ClaimsApp as the Alias: and C:\Inetpub\wwwroot\ClaimsApp as the Physical path:.
- Click OK when done.
- Close the IIS Manager.
Install the Windows Identity Framework SDK
- Run WindowsIdentityFoundation-SDK-3.5.msi.
- Select I accept the terms in the License Agreement and click Next two times.
- Click Install.
- Upon installation completion, deselect Open Readme and click Finish.
Create the ClaimsApp
- Copy the contents of the PassiveRedirectBasedClaimsAwareWebApp folder from C:\Program Files (x86)\Windows Identity Foundation SDK\v3.5\Samples\Quick Start\Web Application to C:\Inetpub\wwwroot\ClaimsApp
- In this newly created folder, open default.aspx.cs with the built-in Windows text editor (notepad.exe).
- Use Ctrl + F to search for instances of ExpectedClaims. Comment out the second instance, including the brackets on the line under it and the three lines under the instance.
- Save the changes by pressing Ctrl and S simultaneously.
- Use Ctrl + O to open another file in the same folder: Web.Config.
- Use Ctrl + F, but this time use it to search for Microsoft.IdentityModel. You’ll find it somewhere five-sixths of the way through.
- Delete the section.
- Use Ctrl + S to save these changes.
- Use Alt + F4 to close Notepad.
Now, normally, the next step would be to use FedUtil.exe to create a new Web.Config for the ClaimsApp, based on the information of an on-premises Active Directory Federation Services (AD FS) implementation. But this time we’re integrating the app with Azure Active Directory instead of Active Directory Federation Services (AD FS).
Integrating the ClaimsApp with Azure AD
Discussing with Raymond last night, we found a really easy way to add a little magic to our ClaimsApp, using the same trusted FedUtil.exe.
Perform these steps in the Azure Portal:
- Navigate to the Azure Portal.
- Log in.
- Navigate to Azure Active Directory in the left navigation pane.
- In Azure Active Directory, click Enterprise Applications.
- Click All Applications.
- In Enterprise applications – All applications – Click Add.
- In Add an application, click the Non-gallery application tile.
- In Add your own applicat…, type a name for the application, like ClaimsApp and click Add.
- In the list for the new application, click Single Sign-on.
- Select SAML-based Sign-on as the mode, by using the drop-down menu.
New options will appear underneath the mode field.
- Define IDENTIFIER and REPLY URL. Use https://www.domain.tld/claimsapp/ for both values. Replace domain.tld with your domain information. Don’t forget to add the trailing slash.
- When done, scroll up and click Save in the top ribbon.
Next, perform these steps:
- Navigate to C:\Program Files (x86)\Windows Identity Foundation SDK\v3.5
- Double-click fedutil.exe to run the Federation Utility Wizard.
- For the Application configuration location, browse to the web.config file in C:\Inetpub\wwwroot\ClaimsApp. For the Application URI, specify https://www.domain.tld/claimsapp/. Replace domain.tld with your domain information. Click Next > when done.
- On the Security Token Service window, select Use an existing STS. Use
https://login.microsoftonline.com/domain.tld/federationmetadata/2007-06/federationmetadata.xml as the STS WS-Federation metadata document location. Replace domain.tld with your domain information.
- Select Test location… When you get a load of gibberish in Internet Explorer, you’ll know it works.
- Close Internet Explorer.
- Click Next > four times.
- On the Summary screen, select the option to Schedule a task to perform daily WS-Federation metadata updates. Click Finish.
- Click OK when the Federation Utility Wizard is done configuring.
You can now access the ClaimsApp, using Azure Active Directory credentials. The ClaimsApp displays the claimtypes passed through by Azure Active Directory.
Building a BYOD lab in Microsoft Azure
.NET Framework 3.5 Windows Identity Framework (WIF) Software Deployment Kit (SDK)
Building My First Claims-Aware ASP.NET Web Application
ADFS Error : Server Error in '/claimapp' Application
"claimapp" demo app failing with "The computer must be trusted for delegation" error