SSO with AD/ADFS and .NET Native Client

Question

My Question is about Active Directory (AD), Active Directory Federation Services (ADFS), Single Sing On (SSO) and SAML.

We have a Client/Server Application with the following Specs: - Client: WPF .NET Native Client based on .NET 4.7.2 and C# - Server: REST-Service based on Java Spring

One main Requirement is SSO with AD/ADFS. In Best Case the User should be authenticated seamlessy/silent.

The main Restriction is AD and ADFS based on Windows Server 2012 R2.

In the following Picture you can how we planned to implement SSO with ADFS.

SSO-Scenario

• The .NET Native Client tries to use the REST-Service without Authentication.
• The REST-Service redirects the .NET Native Client to ADFS-Server.
• The .NET Native Client tries to get a SAML-Token with the current logged on User-Credentials(Windows Logon).
• If the current User ist granted the ADFS-Server respond with and SAML-Token.
• The .NET Native Client takes the SAML-Token and passes it to the REST-Service.
• If the SAML-Token is accepted the User Access is granted.
• If the SAML-Token is not accepted the User should get an Login-Screen in the App.

At this time im totally confused about SSO with ADFS in .NET Native Client. I can't find any suitable Demos etc. Many Demos or Use Cases are about ASP.NET but almost nothing about Native Clients. I'm starting to wonder if my assumption about SSO with AD/ADFS and SAML aren't true.

I started building an AD-ADFS-Lab with Virtual Machines described in Understanding ADFS an Introduction to ADFS. Then I'm trying to play with the ADFS-Server but couldn't get it done.

I was looking at this Libraries:

• ADAL.NET
• MSAL

After 1 week of Research my Head is spinning:

• Do I need WIF?
• What about WCF?

I know there is OAuth. I know Windows Server 2012 isn't the lastest and best for this Scenario. But the Requirements and Restrictions come direct from our Customer.

• What can I do?
• What can I read or try?
• Are thre any other Libraries?
• Are there any Examplex?

Update

I was able to "talk" to my ADFS-Server with WS-Trust and get a SAML-Token.

private static void Main(string[] args)
    {
        string adfs = "https://ad-fs.adlab.local";
        string adfsEndpoint = "https://ad-fs.adlab.local/adfs/services/trust/13/usernamemixed";
        string appServer = "https://ad-server.adlab.local/sampapp/";

        var factory = new WSTrustChannelFactory(new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential), adfsEndpoint);
        factory.TrustVersion = TrustVersion.WSTrust13;

        var channelCredentials = factory.Credentials;

        channelCredentials.UserName.UserName = "Administrator@adlab";
        channelCredentials.UserName.Password = "SsoLab2019";
        channelCredentials.SupportInteractive = false;

        RequestSecurityToken rst = new RequestSecurityToken
        {
            RequestType = RequestTypes.Issue,
            AppliesTo = new EndpointReference(appServer),
            KeyType = KeyTypes.Bearer
        };

        var channel = factory.CreateChannel();

        try
        {
            var token = (GenericXmlSecurityToken)channel.Issue(rst);
            Console.Write(token.TokenXml.OuterXml);
        }
        catch (Exception ex)
        {
            Console.WriteLine(ex.Message);
        }

        Console.ReadKey();
    }

No I have to figure out how I can get the SAML-Token silent/seamless.