Identityserver4: ADFS as external identity provider for IdSrv4

Solution I found is:

Requirements:

• ADFS service configured
• Identity Server Service configured in IIS

Create an application group:

• In AD FS Management, right-click on Application Groups and select Add Application Group.
• On the Application Group Wizard, type a name and under Standalone applications select the Server application template. Click Next
• Copy the Client Identifier value. It will be used later in identity server configuration
• Enter the Identity Server URL for Redirect URI (https://server.domain). Click Add. Click Next
• On the Configure Application Credentials screen, place a check in Generate a shared secret and copy the secret. Click Next
• On the Summary screen, click Next.
• On the Complete screen, click Close.
• Now, on the right-click the new Application Group and select Properties
• On the Properties window click Add application
• On the Add a new application to… select Web API and click Next.
• On the Configure Web API screen, enter the same URL for Identifier (https://server.domain). Click Add. Click Next.
• In the Choose Access Control Policy screen, select Permit everyone and click Next
• On the Configure Application Permissions screen, make sure openid and profile are selected and click Next
• On the Summary screen, click Next.
• On the Complete screen, click Close.
• On the Properties window click OK

Configure authentication methods

• In AD FS Management, click on Authentication Methods. Select Edit in Primary Authentication Methods.
• In the Edit Authentication Methods form, make sure only Form Authentication option is selected for Extranet an intranet and click OK

Identity server configuration is:

services.AddAuthentication()
.AddOpenIdConnect("adfs", "AD authentication", options =>
{
    options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
    options.SignOutScheme = IdentityServerConstants.SignoutScheme;

    options.Authority = [https://adfsServiceUrl/adfs];
    options.ClientId = [Client Identifier valued copied from ADFS configuration];
    options.ResponseType = id_token;

    options.CallbackPath = "/signin-adfs";
    options.SignedOutCallbackPath = "/signout-callback-adfs";
    options.RemoteSignOutPath = "/signin-adfs";
    options.TokenValidationParameters = new TokenValidationParameters
    {
        NameClaimType = "name",
        RoleClaimType = "role"
    };
});

All set on this issue -- can we close?

The Identity Server config also needs the
options.ClientSecret = [Client generated shared secret from the ADFS];
otherwise it will error in the ADFS Event Logs

@churstz @gcardozoj does any one of you have a working example of identity server 4 using ADFS as external identity provider?

We are struggling to get additional claims like email, name or first name

@fabich this would be helpful if you could get a working example as I'm struggling to get Identity Server 4 working using ADFS also. Getting: AuthenticationException: The remote certificate is invalid according to the validation procedure.

@fabich try looking here:
https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-fs/development/Custom-Id-Tokens-in-AD-FS.md

Worked fine for me, but there was a step missing. Besides just enabling the scopes of openid, profile, email etc... I also had to go into the rules and map the unique_name, email address, etc... I also had to remove 2 lines of code from the above mentioned startup.cs code.

options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.SignOutScheme = IdentityServerConstants.SignoutScheme;

Until this was removed, the claims information was always null.
Really appreciate the above. Was very helpful.

I am using ADFS Server 3.0 and I have to use OAuth instead of OpenIDConnect as ADFS 3 doesn't support OpenIDConnect. How can I achieve that ? Any working solution ?

@CShelton11 I'm on the same boat regarding the claims, so basically the Cookie that comes from ADFS only has the minimal claims needed (Like 2 or 3) and encrypted versions of it. I'll try commenting that out later but if we remove those lines what are the schemes defaulting to then?

There is another typo:
options.RemoteSignOutPath = "/signin-adfs";
should be
options.RemoteSignOutPath = "/signout-adfs";

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.