What are the correct credentials for an ADFS stream within an organization?

I was reading Vittorio Bertocci's blog to try and speed up the use of ADFS to manage authentication and claims in an MVC application or WebApi service. It looks like it is becoming very affordable.

Now I am trying to create a POC using ADFS to address the general requirements for internal sites / services in our enterprise. Our users will be on the intranet along with our endpoints. We are currently using Windows Integrated auth by default, and each site looks up username, email, and other AD data and validates the role responsibility principle through IsInRole. The claims we get with integrated auth only include the SamIdentifier and the group SIDs of the group. An ADFS-like identity for this works for us, but still gives our users a seamless experience. In the long term, we will most likely add support for non-domain devices in some sites / services, so this is another motivation to learn ADFS.

So, I created a simple example application in VS2013 using Organizational Accounts (On Premise) that will dump current user requests, configure the metadata endpoint and audience uri, report this information along with the claims that I would like mapped to my ADFS administrator (2012 d.) and deployed my site to a development server. So my host is still IIS, although I am hoping to use Owin middleware to set up authentication and not web.config (WIF style).

Considering IIS is my host, how do I configure authentication for my site: anonymous? And my web.config should specify "None" for authentication mode and deny = "?". for authorization, right?

Another question I have is that Vittorio did not get caught up in his post stating that adfs in place is the nature of a bearer token, and whether I need to explicitly configure the middleware to use cookies. My launch config looks like this:

    public void ConfigureAuth(IAppBuilder app)
    {
        app.UseActiveDirectoryFederationServicesBearerAuthentication(
            new ActiveDirectoryFederationServicesBearerAuthenticationOptions
            {
                MetadataEndpoint = ConfigurationManager.AppSettings["ida:AdfsMetadataEndpoint"],
                TokenValidationParameters = new TokenValidationParameters() { ValidAudience = ConfigurationManager.AppSettings["ida:Audience"] }
            });
    }

      

        
        
        
      

    

It looks like this middleware is expecting JWT tokens (given that there is a JwtSecurityTokenHandler in the class). Is there any configuration we need to do on the ADFS side to issue JWT tokens? I understand that by default I am getting the SAML token.

And do we need to use CookieAuthentication middleware to manage the token, or will the browser keep it going for the entire session?

Thank you all!

UPDATE: So based on Vittorio's help below and some additional research, I now have a simple website with one page protected by the [Authorize] attribute. My Startup ConfigureAuth class now looks like this:

    public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions());

        app.UseActiveDirectoryFederationServicesBearerAuthentication(
            new ActiveDirectoryFederationServicesBearerAuthenticationOptions
            {
                MetadataEndpoint = ConfigurationManager.AppSettings["ida:AdfsMetadataEndpoint"],
                TokenValidationParameters = new TokenValidationParameters() { ValidAudience = ConfigurationManager.AppSettings["ida:Audience"] }
            });
    }

      

        
        
        
      

    

We added my site to an ADFS trust and created a half dozen claims rules. So far everything seems to be right, but I'm still scared. I got to the secure "claims" page and got a 401 response with the title WWW-Authenticate: Bearer. So far so good.

But this. How does the browser know where to get the authentication and get the token? If I was proving a separate client scenario, my client would be configured with the location of the authoritative token, but in this simple website scenario I am clearly missing something.

UPDATE 2: I wonder if there is another ADFS implementation in place? Or maybe the documentation just doesn't exist yet - or both ...

I pulled out all the Owin packages and went back to using WSFederationAuthenticationModule and SessionAuthenticationModule along with all the web.config settings on the system.identityModel and systemi-identityModel.services systems that were around. Basically, I figured the solution is similar to the one you get from VS2013 when you selected Organizational Accounts -> On Premise. Everything works nicely and I have all my assertions configured coming from ADFS. I see an initial 302 redirect to ADFS, challenge-response, and ultimately a SAML token converted to a secure session cookie. On the website, I repeat the statements like this:

var user = User as ClaimsPrincipal;
ViewBag.Claims = user.Claims;
return View();

      

        
        
        
      

    

This is why I suspect the middleware is incomplete: when you use this new template in VS2013, the wizard goes to the federation metadata endpoint you specify and builds all the web.config settings by reading this xml and additionally sets some smart default values. This is what I was expecting to see in Owin middleware - it should have everything it needs to know, since I am passing the same metadata endpoint. I was hoping that the "magic" would replace the use of FAM / SAM modules and all related configurations.