MVC How do I get the authorization node of web.config to use ADFS claims for ELMAH

Question

I have an existing MVC Application that uses ADFS 2.0 to issue claims.

The Claims are issued by a database NOT active directory groups and therefore are not using the ClaimTypes.Role namespace (I could probably edit this so that they do).

In any case I need to write some kind of transformation (possibly in a HttpModule because i think an action filter would be too late in the request process) that would take the "my-namespace:Administrator" claim if it exists and turn it into a role that can be tested in the elmah section of my web config. I'm assuming all I need is to get the claim to work with the IsInRole method of the ClaimsPrincipal

<location path="elmah">
<system.web>
  <authorization>
    <allow roles="Administrator"/>       
    <deny users="*"/>
  </authorization>
</system.web>

or is it just easier to setup a route constraint that checks the claim I currently get back from ADFS

Answer 1

I ended up writing an action filter

public class ElmahRequestAuthorizationFilter : AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {

        if (filterContext.IsChildAction) return;

        var controller = filterContext.RouteData.Values["controller"] as string;

        if (controller != null && controller.ToLowerInvariant() != "elmah") return;

        var authenticationComponent = GetAuthenticationInfo() // A method that will return us roles;

        var goodRoles = new List<string> {
            "TestRole",
            "ThirdLevelSupport",
            "Administrator"
        };

        var roles = authenticationComponent.Roles ?? new List<string>();

        var thouShaltPass = roles.Intersect(goodRoles).Any();

        if (!thouShaltPass)
        {
            throw new HttpException(404, "Not Found");
        }

    }
}