Authentication using AD FS
The AdfsSecurityManager allows you to use federated authentication using a Windows ADFS service. It will utilize the WS-federation passive authentication protocol.
This guide will provide instructions on how to set up the ImageVault UI site as a relying party for a ADFS service infrastructure.
This security manager does not support user/group lookup. You can manually enter group/user names to give access to these identities but you will not get to select between the users/groups in the AD.
This instruction requires the following.
- Working ADFS service
- Installed ImageVault UI site (either as stand alone or as a virtual application below an Episerver site)
- SSL to the ImageVault UI site. The ADFS requires that a relying party uses encrypted traffic.
- Traffic using non SSL is redirected to the designated SSL address (see Redirect HTTP to HTTPS)
Before you begin you need to prepare some information that will be used to setup the configuration
Federated metadata URL
The ADFS service provides meta data about its services. These meta data can be retrieved from the service using a special URL. On an ADFS service this URL on the format below. (replace the sts.mydomain.com with the correct URL of your ADFS service URL)
This URL needs to be accessible (anonymously) from the ImageVault UI server.
This is the URL of the ImageVault UI application. Should always use the HTTPS protocol and end with a forward slash (/)
Setup ADFS Relying Party Trust
You first need to add a Relying Party Trust in your ADFS service for the ImageVault UI application.
This is done using the AD FS Management tool. (short instructions below) More instructions can be found at http://www.cloudidentity.com/blog/2014/02/12/use-the-on-premises-organizational-authentication-option-adfs-with-asp-net-in-visual-studio-2013/
- Add Relying Party Trust...
- Use the manual method
- Enter any name (preferably the Application URL above)
- Enable support for the Ws-Federation passive protocol and enter the Application URL as relying party WS-Federation Passive protocol URL.
When the relying party trust is set up you also need to configure the claim rules to at least include the following claims
- User principal name (will identify the user)
- Name ID (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier) (can be mapped to UPN)
- Name (will be the visible user name)
- Role (include as many as needed, used for role based authorization)
- Email (optional)
Note: These claims must also be passed along to the site that any ImageVault client (for example the Episerver plugin) is running on (if that client is using ADFS)
Setup ImageVault UI
Make sure that you have the ImageVault.Adfs.Providers.dll in your ImageVault UI bin folder.
To configure the ImageVault UI to use ADFS authentication you modify the web.config file.
To use the authentication method, set the authentication mode to None.
To instruct ImageVault to use your ADFS server, add/modify the connection string named ImageVaultSecurityManager.
The providerName for this connectionString should be
This should be the same as the Application URL
This should be the same as the Federated meta data URL
The example below summarizes the needed web.config changes.
If you get an error while logging in using ADFS, the ADFS server might have recorded something interesting. To access the ADFS logs, open Event viewer and navigate to "Application and Service Logs" -> "AD FS" -> "Admin".
Redirect HTTP to HTTPS
If you try to access the site using a non SSL configured port you will get an error upon logging in on the ADFS. To avoid this, add a redirect to the web.config stating that all traffic using non SSL traffic is redirected to the SSL port.