I have developed a solution with ASP.NET front-end using WCF-services as back-end. The web-site currently authenticates using ADFS 1.0 (I do not have any control of the ADFS-implementation but it has been configured for my web-application). Also, it's no option to upgrade to ADFS 2.0 (at least not in the near future)
The configuration in Web.config for this is the following:
<httpModules>
<add name="Identity Federation Services Application Authentication Module" type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule, System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />
</httpModules>
<membership defaultProvider="SingleSignOnMembershipProvider2">
<providers>
<add name="SingleSignOnMembershipProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://urltoadfs/adfs/fs/FederationServerService.asmx" />
</providers>
</membership>
<websso>
<authenticationrequired />
<urls>
<returnurl>https://myapplication/</returnurl>
</urls>
<fs>https://urltoadfs/adfs/fs/FederationServerService.asmx</fs>
<isSharePoint />
</websso>
This works fine and i can access the application using an account in ADFS. The problem is that I need to convert this claim-identity to a WindowsIdentity to access the back-end WCF services (they use Windows Authentication with impersonation/delegation).
Is there any way to accomplish this with ADFS 1.0? I have tried to use WIF (Windows Identity Foundation) but I cannot find any clear information if it's possible to use it together with ADFS 1.0 as STS. I have also investigated the "Windows NT token-based applications"-option (http://technet.microsoft.com/en-us/library/cc784956(v=ws.10).aspx) but I would like to avoid changes in the current ADFS-implementation if possible.
To test the WIF-option I used the following configuration in Web.config (the part on websso removed):
<httpModules>
<add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
<add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<add name="ClaimsAuthorizationModule" type="Microsoft.IdentityModel.Web.ClaimsAuthorizationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</httpModules>
<microsoft.identityModel>
<service>
<audienceUris>
<add value="https://myapplication/" />
</audienceUris>
<applicationService>
<claimTypeRequired>
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" optional="true" />
</claimTypeRequired>
</applicationService>
<securityTokenHandlers>
<add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" />
</add>
</securityTokenHandlers>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true"
issuer="https://urltoadfs/adfs/fs/FederationServerService.asmx"
realm="https://myapplication/"
requireHttps="true" />
</federatedAuthentication>
</service>
</microsoft.identityModel>
I also have the "Claims to Windows Token Service" (c2WTS) running on the web-server.
I get redirected to the ADFS-server but I just receives a general error from the server.