Hands-on Lab 3

The objective of this hands-on lab is to explore some extensibility options of Windows Identity Foundation.

Support NLB scenarios

For integrity and confidentiality, SessionAuthenticationModule uses the functions CryptProtectData and CryptUnprotectData from Windows Data Protection (DPAPI). The keys generated depend on the current user, which means that the solution is unsuitable for web farm scenarios.

Modify the relying party created before so that the token is signed and encrypted using RSA with the certificate (and associated private key) configured below the <serviceCertificate> configuration element:

Explicit authentication

Option 1: ASP.NET WebForms

On ASP.NET WebForms, WIF provides two controls, FederatedPassiveSignIn and FederatedPassiveSignInStatus, similar to Login and LoginStatus. They allow the use of federated identity with the same workflow as forms authentication.

Modify the relying party created before to use these controls:

Option 2: ASP.NET MVC

On ASP.NET MVC, the programmer must implement actions to redirect the user to the identity provider.

Home realm selection

Option 1. ASP.NET WebForms

A relying party can use the whr parameter to indicate which identity provider should the federation provider redirect the user to. You can change this value on the FAM’s RedirectingToIdentityProvider event or you can explicitly create SignInRequestMessages.

On the login page of the relying party created before:

Option 2. ASP.NET MVC

For ASP.NET MVC, since from the last section we are already creating an instance of SignInRequestMessage, we can set the value of the HomeRealm property.

Managers

WIF allows the definition of custom authentication and authorization managers for claims transformation and access control.