ADFS and OpenID

| | Comments (3) | TrackBacks (0)
The other day, Travis Nielsen wrote an article about how to use ADFS in conjunction with an OpenID provider (OP) to authenticate users accessing a SharePoint 2010 site.  His article is really good and definitely worth reading.  As he says in it, he based his work on Matias Woloski's which is also a must read.  Travis proposes a solution that, if implemented exactly, will include five token services.  Something like this:


I like this stuff a lot, but that's too many STSs if you ask me.  Instead, I would suggest doing away with the the protocol transition STS (as Matias called it) and instead customize ADFS's login app to thunk between WS-Federation and OpenID.  Building a proof of concept (PoC) to demonstrate this using Matias' code was short work.  Here's how I did it:

1. I changed IIS, so ADFS would use my own login app rather than the one that it comes with.  I did so by modifying the IIS "ls" application to point to some other directory.  You can also do this by modifying the Windows Internal Database (WID), but I wouldn't recommend that.


2. Then I dumped Matias' code into this directory and modified it a tiny bit. (My code can be found in this ZIP file.)

3. I didn't have SharePoint 2010 set up, so I used one of the passive RPs that come with the WIF SDK as a substitute.  I changed the issuer URI to that of ADFS's passive endpoint (i.e., https://.../adfs/ls). Then, I pulled it up in my browser.  I was redirected to ADFS's new login app.

4. Once there, I entered my OP's endpoint.


5. This redirected me to my OP, and I logged in.


6. I was redirected back to the ADFS login app (passive STS) which thunked the OpenID response to a WS-Federation response.  I was then redirected to the RP (which would be the SharePoint RP-STS in the actual case).  The RP displayed the claims which included the name and ID issued by the OP.

I know what you're thinking.  Surely there's stuff in ADFS's login app that can't just be thrown out like this.  Definitely. This isn't a finished product in any sense.  It's just a demonstration of how you can protect a SharePoint 2010 site using 4 STSs instead of 5.