Getting AD User info from VB Win Application Form via AD FS

Question

I have a Win Form Application(not in Intranet) where I would like to implement a functionality where you can insert your AD Credentials and the application should connect to our AD through the web published ADFS (the standard https://[adfsurl]/adfs/ls/idpinitiatedsignon.aspx) and get those info (for example the AD group you belong to).

I started researching but most of the examples are for ASP.NET and MVC or WIF in a intranet scenario.

What approach would you suggest?

Answer 1

I was finally able to make it work, I had to create a new application in the ADFS and generate a self-signed cert.

Here is the code:

Private Sub GetToken()
    Const certSubject As String = "CN=[CN of the cert]"
    Dim sEndPointAddress As String = "https://domain/adfs/services/myapp"
    Dim binding As New WS2007HttpBinding()
    binding.Security.Message.EstablishSecurityContext = False
    binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None
    binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName
    binding.Security.Mode = SecurityMode.TransportWithMessageCredential


    Dim trustChannelFactory As New WSTrustChannelFactory(binding, New EndpointAddress("https://domain/adfs/services/trust/13/usernamemixed"))
    trustChannelFactory.TrustVersion = TrustVersion.WSTrust13
    trustChannelFactory.Credentials.UserName.UserName = [user]
    trustChannelFactory.Credentials.UserName.Password = [password]

    Dim requestToken As New RequestSecurityToken(RequestTypes.Issue)
    requestToken.AppliesTo = New EndpointReference(sEndPointAddress)
    requestToken.RequestType = RequestTypes.Issue
    requestToken.KeyType = KeyTypes.Bearer

    requestToken.Claims.Dialect = "http://docs.oasis-open.org/wsfed/authorization/200706/authclaims"

    Dim channel As IWSTrustChannelContract = trustChannelFactory.CreateChannel()

    Dim tokenClient As WSTrustChannel = CType(trustChannelFactory.CreateChannel(), WSTrustChannel)
    Try
        Dim token As GenericXmlSecurityToken = tokenClient.Issue(requestToken)

        Dim tokenHandlers = New SecurityTokenHandlerCollection(New SecurityTokenHandler() {New SamlSecurityTokenHandler()})
        tokenHandlers.Configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never
        tokenHandlers.Configuration.CertificateValidationMode = X509CertificateValidationMode.None
        tokenHandlers.Configuration.RevocationMode = X509RevocationMode.NoCheck
        tokenHandlers.Configuration.CertificateValidator = X509CertificateValidator.None
        tokenHandlers.Configuration.AudienceRestriction = New AudienceRestriction()
        tokenHandlers.Configuration.AudienceRestriction.AllowedAudienceUris.Add(New Uri(sEndPointAddress))

        Dim trusted = New TrustedIssuerNameRegistry(certSubject)
        tokenHandlers.Configuration.IssuerNameRegistry = trusted

        'convert the generic security token to a saml token
        Dim samlToken = tokenHandlers.ReadToken(New XmlTextReader(New StringReader(token.TokenXml.OuterXml)))

        'convert the saml token to a claims principal
        Dim ClaimsPrincipal = New ClaimsPrincipal(tokenHandlers.ValidateToken(samlToken).First())

        'Display token information
        Console.WriteLine("Name : " + ClaimsPrincipal.Identity.Name)
        Console.WriteLine("Auth Type : " + ClaimsPrincipal.Identity.AuthenticationType)
        Console.WriteLine("Is Authed : " + ClaimsPrincipal.Identity.IsAuthenticated.ToString())
        For Each c As System.Security.Claims.Claim In ClaimsPrincipal.Claims
            Console.WriteLine(c.Type + " / " + c.Value)
            Console.ReadLine()
           
        Next

        Form1.lbl_Hello.Text = "Hi, " + ClaimsPrincipal.Identity.Name

    Catch ex As Exception
        If ex.Message.Contains("ID3242") Then
            MsgBox("Invalid Credentials")
        Else
            MsgBox(ex.Message)
        End If

    End Try
End Sub

Answer 2

So, I was able to create a MVC asp.net project and get the info needed, I can retrieve for example the Groups of the users connected.

As I mentioned earlier, this is a WinForms tool that needs to be installed on the users PC so the MVC project will not work.

I tried to search for some code that will not need a Web Component and at the end I was able to create some code that connects to my adfs and get's back a token.

 Dim sEndPointAddress As String = "https://domain/adfs/ls/idpinitiatedsignon.aspx"
        Dim binding As New WS2007HttpBinding()
        binding.Security.Message.EstablishSecurityContext = False
        binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None
        binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName
        binding.Security.Mode = SecurityMode.TransportWithMessageCredential


        Dim trustChannelFactory As New WSTrustChannelFactory(binding, New EndpointAddress("https://domain/adfs/services/trust/13/usernamemixed"))
        trustChannelFactory.TrustVersion = TrustVersion.WSTrust13
        trustChannelFactory.Credentials.UserName.UserName = "username"

        trustChannelFactory.Credentials.UserName.Password = "password"

        Dim requestToken As New RequestSecurityToken(RequestTypes.Issue)
        requestToken.AppliesTo = New EndpointReference(sEndPointAddress)

        requestToken.Claims.Dialect = "http://docs.oasis-open.org/wsfed/authorization/200706/authclaims"
        requestToken.Claims.Add(New RequestClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", True, "Windows account name"))
        requestToken.Claims.Add(New RequestClaim("request", True, "id"))



        Dim tokenClient As WSTrustChannel = CType(trustChannelFactory.CreateChannel(), WSTrustChannel)
        Try
            Dim token As Object = tokenClient.Issue(requestToken)

Now that I have the token, how can I retrieve the AD info that I need? Is that part of the RequestClaim that I send? And how can I add the requests generated from this tool to the Relying Party Trust?