4

We have multitenant asp.net MVC web site which supports multiple partners. Currently we are using forms authentication to authenticate users. Now some of the partners have asked for single sign on support with SAML.

I did quick POC to test it against “Thinktecture” identity provider. All I did was to install “Identity and access” extension for VS 2012 and configure the identity provider. I noticed that the extension added configuration settings like URL of the IP and realm in the web.config file. It also added “WSFederationAuthenticationModule” module to handle the authentication. This module was handling all the redirects and the validation of response behind the scene.

In my case since we will have multiple identity providers, depending upon the partner, I will be choosing the Identity provider. The URLs of the different IPs will be stored in the database. I cannot list all the IPs in web.config. Hence I need mechanism in which I can redirect user to appropriate IP URL and once the IP posts back the result, verify the result and retrieve user information through claims. I don’t want to do the XML parsing of the result and validate the response, but just want to call methods in “WSFederationAuthenticationModule” to do the heavy duty work. But I am not sure which methods will be useful for me. Can somebody help me out or list of the sequence of methods I need to execute to achieve this?

Amey
  • 1,216
  • 18
  • 28

1 Answers1

3

Take a look at my simple example

http://www.wiktorzychla.com/2014/11/simplest-saml11-federated-authentication.html

The trick is not to have the WSFam module in the pipleline but rather use its api to trigger redirects and consume responses. If you follow my code, you'll see there are two clauses

 // wsfed response or not
 if ( !fam.IsSignInResponse(...) )
    // redirect to provider
 else
    // create local config and validate the incoming token

This simple example is perfectly suitable for multitenant scenario, in fact we use ws-fed daily in multitenant environment and most clients are based on this core approach.

Namely, creating the SecurityTokenHandlerConfiguration programatically in the branch that consumes the response gives you total control over how you validate tokens for different tenants.

Wiktor Zychla
  • 47,367
  • 6
  • 74
  • 106
  • Thanks for the link. It was really helpful. One more thing I wanted to check with you was the certification/toke validation process. In your blog you have given a sample implementation of "IssuerNameRegistry" interface. Can you please elaborate what should be included in the concrete implementation? – Amey Sep 21 '15 at 12:22
  • @Amey: answered below my blog post. If you need more details, drop a note here. – Wiktor Zychla Sep 21 '15 at 17:32
  • I just wanted to say thanks a LOT for this answer. You deserve many upvotes. – mghaoui Aug 21 '17 at 16:09