Server.v3 and ADFS

[gri4]

Hello,
Would you tell me if there are kind of guidelines/samples related to connection Server.v3 to ADFS?
I need to perform username/password authentication against ADFS. Something like http://brockallen.com/2013/04/14/getting-json-web-tokens-jwts-from-adfs-via-thinktecture-identityservers-adfs-integration/ (topic 3) and "Thinktecture.IdentityServer.v2/samples/AdfsIntegrationFullSample" would be very useful.
I have reviewed SelfHost (InMem with WS-Fed) sample, but there is no info how to configure Identity server in order to interact with ADFS instance.
Thank you.

[leastprivilege]

We only support ADFS as an identity provider - via the browser login window. Is that what you want? Or are you looking for a programmatic way to authenticate the user?

If yes - we don't support that out of the box anymore - but can be implemented using a custom grant. The samples repo has a basic example of custom grant implementation.

[gri4]

Yes, looking for a programmatic way to authenticate the user. Will review custom grant sample, thanks.

[gri4]

So, according to the "CustomGrants (more customization)" sample i can extend CustomUserService.AuthenticateLocalAsync the way that it will authenticate against an adfs instance.
Authentication itself can be done as here: http://leastprivilege.com/2010/04/14/using-an-active-endpoint-to-sign-into-a-web-application/
Is it correct?

[brockallen]

If you want the uid/pwd on the IdentityServer login page to be used against AD, then yes -- you would implement a custom user service. You'd then use whatever you want to contact AD (or ADFS) to validate the credentials.

[carl-berg]

I have a similar scenario i would like to implement. I want to provide a OAuth2 Resource Owner Password flow without UI. We have ADFS 3 setup for website user login. Would you suggest using IdentityServer3 or would AuthorizationServer be a better choice in my case?

[brockallen]

IdentityServer3 is recommended over AuthorizationServer

[carl-berg]

So i have heard. However i found it hard finding a way forward in using ADFS programatically to validate users, but i dug around a bit in the AuthorizationServer code and found WsTrustResourceOwnerCredentialValidation which i'm currently using in a custom UserService in IdentityServer and so far, i've been able to successfully Validate username and password and to get claims back.

[brockallen]

You could use something similar within IdSvr. It sounds like your concern is how to contact ADFS -- that'll be the same either from IdSvr or AuthorizationServer.

[carl-berg]

There is something similar to WsTrustResourceOwnerCredentialValidation in IdentityServer3? I've been trying to find something like it but haven't had any success so far...

[brockallen]

No, but you can copy that code over into your implementation.