Reputation: 466
How to add roles to Windows Identity Foundation (WIF) claim
I have a requirement to add an STS (security token service) to a ASP.NET Webforms website. The main issue is that I need to add a claim for the roles after authentication takes place, as the Identity provider does not have the role information.
I have implemented the CustomSecurityTokenService in a Local STS using code similar to the below. This code works as expected - howeever, I need to add the bit under the comment "get roles for user here" later in the process..
// Get the incoming identity
IClaimsIdentity callerIdentity = (IClaimsIdentity)principal.Identity;
// Issue custom claims.
ClaimsIdentity outputIdentity = new ClaimsIdentity("Federation");
var username = callerIdentity.Name;
var domain = "DOMAIN";
outputIdentity.Claims.Add(new Claim(ClaimTypes.Name, callerIdentity.Name));
outputIdentity.Claims.Add(new Claim(ClaimTypes.WindowsAccountName, string.Format("{0}\\{1}", domain, username)));
// get roles for user here:
var roles = "Admin";
string[] rolelist = roles.Split(',');
foreach (var role in rolelist)
{
outputIdentity.Claims.Add(new Claim(ClaimTypes.Role, role));
}
return outputIdentity;
The problem that I have, is that I cannot get the roles at this time as they are provided by a service outside of the Identity Provider. I need to wait until I go back to the RP (application) before I can get it - but by that time, the security settings in the web.config have locked me out due to my role settings.
<location path="Pages/Secure/Messages/Default.aspx">
<system.web>
<authorization>
<allow roles="Admin, Tecchies"/>
</authorization>
</system.web>
</location>
I thought that I might be able to use an event in the global.asax, but as yet I have not been able to get any option here to work. Something like this code:
var currentUser = Service.GetUser(callerIdentity.Name);
foreach (var role in currentUser.Roles)
{
outputIdentity.Claims.Add(new Claim(ClaimTypes.Role, role));
}
I'm using .NET 4.0 - although I understand that there may be some benefits of upgrading to 4.5, this is not an option at present for me.
Ive spent an age on this, so any help gratefully received!
Upvotes: 1
Views: 2295
Answers (1)
Reputation: 466
I ended up finding the answer after looking at this link and this link.
The one thing that I didn't get initially was that in order to use the ClaimsAuthenticationManager you need to add the extra line in your web.config in the <microsoft.identityModel><services> section to wire up the implementation.
Thus:
<claimsAuthenticationManager type="MyCustomClaimsAuthenticationManager" />
I wondered why my code was never being executed..
Upvotes: 1
Related Questions
- How to add roles to claims in IdentityServer4?
- ASP.NET Core - Add role claim to User
- How to implement Roles in ASP.NET Identity in webform
- How to authorize roles with ASP.NET Identity in Web Forms?
- Add Multiple Identities in ClaimsPrincipal
- Customize asp.net identity role claim
- ASP.NET web forms - how to combine WIF authentification with membership provider and role provider
- Windows Identity Foundation with Claims based Authentication and Multiple Roles
- Using Custom RoleProvider with Windows Identity Foundation - STS
- What is the best way to modify Claims at Relying Party when using Windows Identity Foundation