The objective of this hands-on lab is to explore some extensibility options of Windows Identity Foundation.
For integrity and confidentiality, SessionAuthenticationModule
uses the functions CryptProtectData
and CryptUnprotectData
from Windows Data Protection (DPAPI). The keys generated depend on the current user, which means that the solution is unsuitable for web farm scenarios.
Modify the relying party created before so that the token is signed and encrypted using RSA with the certificate (and associated private key) configured below the <serviceCertificate>
configuration element:
Subscribe to the FederatedAuthentication.ServiceConfigurationCreated
event and replace SessionSecurityTokenHandler
with one with a new list of transforms: DeflateCookieTransform
, RsaEncryptionCookieTransform
, RsaSignatureCookieTransform
Configure the <serviceCertificate>
element with the certificate
On ASP.NET WebForms, WIF provides two controls, FederatedPassiveSignIn
and FederatedPassiveSignInStatus
, similar to Login
and LoginStatus
. They allow the use of federated identity with the same workflow as forms authentication.
Modify the relying party created before to use these controls:
Undo changes made to <authentication>
and <authorization>
elements in Web.config
by FedUtil
, so that forms authentication is used and only the “Account” folder requires authentication.
Add the WIF assembly to the list of assemblies with controls
Replace the LoginStatus
control in the master page and the Login
control in login page
Comment the registration of the WSFederationAuthenticationModule
Add a reply
attribute to <wsFederation>
with the value https://www.rp.ciws:8443/Account/Login.aspx
On ASP.NET MVC, the programmer must implement actions to redirect the user to the identity provider.
Create a MVC relying party similar to the one created in WebForms and configure IIS
Replace the LogOn
action of the Account
controller with one that redirects the user. See the CreateSignInRequest
method from FAM.
Replace the LogOff
action with one that clears WIF’s cookies. See the SignOut
method from FAM.
A relying party can use the whr
parameter to indicate which identity provider should the federation provider redirect the user to. You can change this value on the FAM’s RedirectingToIdentityProvider
event or you can explicitly create SignInRequestMessage
s.
On the login page of the relying party created before:
Add a drop down list with the names of the identity providers
Add a submit button that redirects the user to the federation provider. See the CreateSignInRequest
method from FAM.
For ASP.NET MVC, since from the last section we are already creating an instance of SignInRequestMessage
, we can set the value of the HomeRealm
property.
WIF allows the definition of custom authentication and authorization managers for claims transformation and access control.
Create new classes, derived from ClaimsAuthenticationManager
and ClaimsAuthorizationManager
Register the created types with the <claimsAuthenticationManager>
and <claimsAuthorizationManager>
elements.