0

I am attempting to build an asp.net 4.7 (v4.5 WIF) using claims based authentication against our internal STS server. We have older working .Net apps (< 4.5) that can successfully get claims.

The issue is that the new app never contacts the STS server.

I surmise the failure is in how I am setting up the federation web.config vs the old. Here is my latest config, non working, followed by a config that works using the old identity process (WIF 3.5).

V4.0 WIF web.config (New 4.7 project)
<system.identityModel>
    <identityConfiguration>
        <audienceUris>
            <add value="urn:jabberwocky" />
        </audienceUris>
        <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
            <trustedIssuers>
                <add thumbprint="{MyThumbprint}" name="https://{MyIssuerURL}" />
            </trustedIssuers>
        </issuerNameRegistry>
        <certificateValidation certificateValidationMode="None" />
    </identityConfiguration>
</system.identityModel>
<system.identityModel.services>
    <federationConfiguration>
        <cookieHandler requireSsl="false" />
        <wsFederation passiveRedirectEnabled="true"
                        issuer="https://{MySTSUrl}"
                        realm="urn:jabberwocky"
                        reply="http://localhost:44301/"
                        requireHttps="true" />
    </federationConfiguration>
</system.identityModel.services>
V3.5 WIF web.config (Old 4.0 project)
<microsoft.identityModel>
  <service>
    <audienceUris>
      <add value="urn:Jabberwocky" />
    </audienceUris>
    <certificateValidation certificateValidationMode="None" />
    <claimsAuthenticationManager type="{Namespace}.MyAuthenticationManager, {Namespace}" />
    <federatedAuthentication>
      <wsFederation passiveRedirectEnabled="true" 
                    issuer="https://{MySTSUrl}" 
                    requireHttps="true" 
                    realm="urn:Jabberwocky" />
      <cookieHandler requireSsl="true" />
    </federatedAuthentication>
    <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
      <trustedIssuers>
        <add thumbprint="{MyThumbprint}" name="https://{MyIssuerURL}" />
      </trustedIssuers>
    </issuerNameRegistry>
  </service>
</microsoft.identityModel>
  • I know it does not hit the STS server because I use an invalid audienceUris value as a test, and I don't get rejected by the server as I would in the old project.
  • I sense it has something to do with the missing federatedAuthentication value in the old but not found in the new.
ΩmegaMan
  • 29,542
  • 12
  • 100
  • 122
  • 1
    If you want to control what's going on, I suggest switching to programmatic approach. Take a look at my tutorial https://www.wiktorzychla.com/2014/11/simplest-saml11-federated-authentication.html As for your current config, make sure both SAM and FAM modules are there too. – Wiktor Zychla Aug 08 '21 at 19:27
  • @WiktorZychla put that suggestion as an answer, and I will mark it as such. As I noted on your website, I needed both FAM and SAM. – ΩmegaMan Aug 24 '21 at 16:51
  • As for your comment under my blog entry, the FAM isn't required in the web.config if you follow my programmatic approach. It's only required in web.config for static, declarative approach as yours. – Wiktor Zychla Aug 24 '21 at 17:21
  • Gotcha, its only relevant if one is doing it non-programmatically. – ΩmegaMan Aug 24 '21 at 17:23

2 Answers2

1

As for your current config, make sure both SAM and FAM modules are there.

If you want to control what's going on, I suggest switching to programmatic approach. Take a look at my tutorial.

ΩmegaMan
  • 29,542
  • 12
  • 100
  • 122
Wiktor Zychla
  • 47,367
  • 6
  • 74
  • 106
  • Did you ever attempt a WIF WS-Fed as an OWIN operation? – ΩmegaMan Aug 24 '21 at 17:28
  • You mean the .AddWsFederation(...)? Or write a custom middle ware? – Wiktor Zychla Aug 24 '21 at 17:32
  • Yes, I attempted an OWIN operation but had to revert back to WIF. – ΩmegaMan Aug 24 '21 at 17:33
  • 1
    We have mostly multitenat apps where each tenant has its own wsfed configuration. This is a breeze with wif. However, despite two attempts, we still had some problems switching to owin in this scenario. We stick with wif for now and I consider writing my own owin middle ware someday when it's gonna be required and there still be issues. – Wiktor Zychla Aug 24 '21 at 17:39
1

I ended up having this in my web.config

<system.webServer>
    <modules>
        <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
        <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
    </modules>
</system.webServer>
ΩmegaMan
  • 29,542
  • 12
  • 100
  • 122