ADFS Authentication Without JavaScript

TL;DR

You can authenticate with Active Directory Federation Services (ADFS) without relying on JavaScript by using the standard WS-Federation protocol directly through server-side redirects and POST requests. This is useful for applications that don’t run in a browser or where JavaScript isn’t available or desirable.

Solution Guide

1. Understand the WS-Federation Flow

ADFS uses WS-Federation for authentication. The basic flow involves these steps:

• Your application redirects the user to the ADFS endpoint with a request for authentication.
• The user authenticates at ADFS (username/password, MFA etc.).
• ADFS redirects the user back to your application with a SAML assertion or WS-Federation token.
• Your application validates the token and establishes a session.

We’ll be handling these steps programmatically on the server side.

2. Construct the Authentication Request

You need to create an HTTP GET request to your ADFS endpoint. The URL will typically look like this:

https://your-adfs-server/adfs/ls/?wa=wsignin1.0&wtrealm=your-application-url

• wa=wsignin1.0: Specifies the WS-Federation sign-in protocol version.
• wtrealm=your-application-url: This is crucial. It’s the URL of your application that ADFS will redirect back to after successful authentication. Make sure this matches exactly what you configure in ADFS (see step 4).

You can add other parameters as needed, such as:

• wreply: Explicitly specify the redirect URL (same as wtrealm is common).
• prompt=login: Force a login prompt even if the user has a session.

Example in Python:

import requests

adfs_url = "https://your-adfs-server/adfs/ls/"
realm = "https://your-application-url"
redirect_url = f"{adfs_url}?wa=wsignin1.0&wtrealm={realm}"

response = requests.get(redirect_url)
print(response.url) # This will show the ADFS login page URL

3. Handle the Redirect from ADFS

After the user authenticates, ADFS will redirect them back to the wtrealm URL you specified.

• Your server-side code needs to handle this redirect.
• The redirect will contain a SAML assertion or WS-Federation token in the query string (usually as a parameter named wa=wsignin1.0).
• Extract this token from the URL.

Example of extracting the token:

from urllib.parse import urlparse, parse_qs

redirect_url = request.url # Get the redirect URL from your web framework
parsed_url = urlparse(redirect_url)
query_params = parse_qs(parsed_url.query)

token = query_params.get('wa', [None])[0]
if token:
  print("Token received:", token)

4. Configure ADFS Relying Party Trust

You must configure a Relying Party Trust in ADFS for your application.

• Open the ADFS Management console.
• Add a new Relying Party Trust.
• Choose ‘Enter data about the relying party manually’.
• Give it a display name and enter the Relying party trust identifier as your application’s URL (the same one you used for wtrealm).
• Configure claim rules to send the necessary claims (e.g., user principal name, email address) to your application. This is where you define what information ADFS will provide about the authenticated user.
5. Validate the Token

Your application needs to validate the received token.

• You can use a WS-Federation library or manually parse and verify the SAML assertion (if that’s what ADFS is sending).
• Verify the signature of the token.
• Check the issuer, audience, expiration time, and other relevant claims.

Token validation libraries are available for most programming languages. For example, in .NET you can use IdentityModel.