0

I am new to Windows Identity Framework. My organization has multiple environments that make use of different 'authority' and 'endpoint' names. My application can detect the environment at runtime. I've looked through the WIF documentation and through stackoverflow and am not, thus far, able to find anything that I can use to help me with this problem.

The example below works in my localhost environment:

   <add key="ida:FederationMetadataLocation"    value="https://test.login.mycompany.com/FederationMetadata/2007-        06/FederationMetadata1.xml" />
     <add key="ida:Realm" value="https://localhost/webapp" />
     <add key="ida:AudienceUri" value="https://localhost/webapp/" />

In my development environment the same section needs to be:

 <add key="ida:FederationMetadataLocation" value="https://dev.login.mycompany.com/FederationMetadata/2007-06/FederationMetadata1.xml" />
     <add key="ida:Realm" value="https://dev.mycompany.com/webapp" />
     <add key="ida:AudienceUri" value="https://dev.mycompany.com/webapp/" />

I also need to make similar changes to the AudienceURIs and the federationConfiguration.

Here is the full localhost web.config:

     <?xml version="1.0" encoding="utf-8"?>

 <configuration>
   <configSections>
     <!--Added for Windows Identity Framework -->
       <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
       <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
     <!--END: Added for Windows Identity Framework -->
   </configSections>

   <appSettings>
     <!--Added for Windows Identity Framework -->
     <add key="ida:FederationMetadataLocation" value="https://test.login.mycompany.com/FederationMetadata/2007-06/FederationMetadata1.xml" />
     <add key="ida:Realm" value="https://localhost/webapp" />
     <add key="ida:AudienceUri" value="https://localhost/webapp/" />
     <!--END: Added for Windows Identity Framework -->
   </appSettings>
   <system.web>
   ...
   </system.web>
   <system.webServer>
     <!--Added for Windows Identity Framework -->
     <modules>
       <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
       <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
     </modules>
     <!--END: Added for Windows Identity Framework -->
   </system.webServer>
   <runtime>
     <assemblyBinding ...
     </assemblyBinding>
   </runtime>

   <!--Added for Windows Identity Framework -->
   <system.identityModel>
     <identityConfiguration>
       <audienceUris>
         <add value="https://localhost/webapp" />
         <add value="https://localhost/webapp/FederationResult/" />
       </audienceUris>
       <securityTokenHandlers>
        ...
       </securityTokenHandlers>
       <certificateValidation certificateValidationMode="None" />
       <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
         <authority name="http://test.login.mycompany.com/adfs/services/trust">
           <keys>
             <add thumbprint="123320493" />
           </keys>
           <validIssuers>
             <add name="http://test.login.mycompany.com/adfs/services/trust" />
           </validIssuers>
         </authority>
       </issuerNameRegistry>
     </identityConfiguration>
   </system.identityModel>

   <system.identityModel.services>
     <federationConfiguration>
       <wsFederation 
         issuer="https://test.login.mycompany.com/adfs/ls/"
         realm="https://localhost/webapp/" 
         reply="https://localhost/webapp/" 
         passiveRedirectEnabled="true" 
         requireHttps="true" />
       <cookieHandler name="LocalFedAuthRounding" requireSsl="true" />
     </federationConfiguration>
   </system.identityModel.services>

   <!--Added for Windows Identity Framework -->

 </configuration>

Does the WIF provide methods to do this? I've looked through the documents and can't figure out how to make these changes.

Thanks, Matt

Matthew David Jankowski
  • 844
  • 5
  • 17
  • 39

2 Answers2

0

The identity and access tool from Visual Studio only allows for one "authority" at a time. If you want a different authority per environment (say your site is deployed in TST, acceptance and production) then you will need to consider web config transforms at deploy time to configure the correct authority. However, if you need to accept security tokens from multiple authorities in the same deployed website, then you need to manually merge the section for system.IdentityModel into one. WIF supports (It will try each option one by one) this but IDA doesn't. The system.identityModel.Services part is trickier since that is where you tell WIF how to do a redirect for a passive login scenario. That part you will need to do manually in code. It's not that hard. After all, you just need to redirect to a -cleverly composed - url. You can also use something like Windows AZure ACS or Thinktecture Identity Server to shield the different identity providers from your application. Identity providers (authorities in your parlance) then get added at the STS level and your app just trusts the STS. Also, do not forget the signout which should be redirected to the same identity provider you used to log in in the first place.

Willy Van den Driessche
  • 1,619
  • 15
  • 23
  • I'm not able to change the configuration at deploy. I deploy to one environment and then move from that environment to the rest without a redeploy. I think I need to do something in the code to point to a different web.config per each environment. Alternatively, there must be some way to do this in the code... – Matthew David Jankowski Sep 16 '15 at 18:19
0

I answered a very similar question just lately but since the answer hasn't been accepted, I can't make your question a duplicate of that one

Authentication against multiple identity providers using WSFederationAuthenticationModule for asp.net

Basically, you do everything in few lines of code instead of relying on the static configuration.

Community
  • 1
  • 1
Wiktor Zychla
  • 47,367
  • 6
  • 74
  • 106