CODEWITHSUNDEEP
c#asp.netasp.net-mvcwif
everfor
everfor

Reputation: 141

Programmatical configuring Microsoft.IdentityModel on ASP.NET application not working - Passive Redirect enabled but never worked

I am developing a claim based authentication app and wanted to move the Microsoft.IdentityModel configuration from web.config file to my codes to manage the configuration dynamically.

This was the federatedAuthentication section contained in web.config:

<federatedAuthentication>
    <wsFederation passiveRedirectEnabled="true" issuer="trust" realm="real" requireHttps="false" />
    <cookieHandler requireSsl="true" />
</federatedAuthentication>

I have tried to attach an EventHandler in Application_Start() method to implement the configuration in the codes instead of web.config file:

    protected void Application_Start()
    {
        FederatedAuthentication.ServiceConfigurationCreated += new EventHandler<ServiceConfigurationCreatedEventArgs>(FederatedAuthentication_ServiceConfigurationCreated);
    }

    private static void FederatedAuthentication_ServiceConfigurationCreated(Object sender, ServiceConfigurationCreatedEventArgs e)
    {
        const string rpRealm = "realm";
        const bool requireSsl = false;
        const bool requireHttps = false;
        const bool passRedirect = true;
        const string issuer = "trust";

        ...

        FederatedAuthentication.WSFederationAuthenticationModule.PassiveRedirectEnabled = passRedirect;
        FederatedAuthentication.WSFederationAuthenticationModule.Issuer = issuer;
        FederatedAuthentication.WSFederationAuthenticationModule.Realm = rpRealm;
        FederatedAuthentication.WSFederationAuthenticationModule.RequireHttps = requireHttps;

        ...
    }

When I removed the configurations in the web.config file and built the codes, the problem happened that the application did not redirect to the Issuer url even if the PassiveRedirectEnabled property was already set to true.

By putting breakpoints I confirmed that the codes above did run and did not generate exceptions; however, the passive redirection never worked.

P.S. I was using WIF 3.5; the assembly imported was Microsoft.IdentityModel.dll

Upvotes: 4

Views: 2942

Answers (2)

everfor
everfor

Reputation: 141

Thanks @jonho for your kind help! However your codes work in WIF 4.5, whereas I am working with WIF 3.5 and things are a little bit different here...

After researching around on the Internet and testing with my codes, I came up with a working solution with the help from http://social.msdn.microsoft.com/forums/vstudio/en-US/41b9a137-faca-43c6-b965-01d5322df5f0/change-microsoftidentitymodel-configuration.

Just in case people might get stuck as I did, here's what I did:

  1. Add an event handler when ServiceConfiguration is created, and add the allowed audience and certificate information in the event handler:

    protected void Application_Start()
{
    FederatedAuthentication.ServiceConfigurationCreated += 
                new EventHandler<ServiceConfigurationCreatedEventArgs>(FederatedAuthentication_ServiceConfigurationCreated);
}

private static void FederatedAuthentication_ServiceConfigurationCreated(Object sender, ServiceConfigurationCreatedEventArgs e)
{
    const string allowedAudience = "allowed_aud";
    const string certThumbprint = "thumb";
    const string certName = "name";

    var serviceConfiguration = new ServiceConfiguration();

    serviceConfiguration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(allowedAudience));

    var issuerNameRegistry = new ConfigurationBasedIssuerNameRegistry();
    issuerNameRegistry.AddTrustedIssuer(certThumbprint, certName);
    serviceConfiguration.IssuerNameRegistry = issuerNameRegistry;
    serviceConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;

    e.ServiceConfiguration = serviceConfiguration;
}

  2. Implement Application_AuthenticateRequest() method for the ASP.NET application. Provide the issuer information there:

    protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
    FederatedAuthentication.SessionAuthenticationModule.CookieHandler.RequireSsl = requireSsl;
    FederatedAuthentication.WSFederationAuthenticationModule.Issuer = issuer;
    FederatedAuthentication.WSFederationAuthenticationModule.Realm = rpRealm;
    FederatedAuthentication.WSFederationAuthenticationModule.PassiveRedirectEnabled = passRedirect;
    FederatedAuthentication.WSFederationAuthenticationModule.RequireHttps = requireHttps;
}

This should be enough to make passive redirect working with ASP.NET application in WIF 3.5

Upvotes: 4

jonho
jonho

Reputation: 1738

This is how I do it - create a FederationConfiguration object, then add to it's WsFederationConfiguration property, then set the whole thing to the event args. 

  private static void FederatedAuthentication_FederationConfigurationCreated(object sender, FederationConfigurationCreatedEventArgs e)
{
    //from appsettings...
    const string allowedAudience = "http://audience1/user/get";
    const string rpRealm = "http://audience1/";
    const string domain = "";
    const bool requireSsl = false;
    const string issuer = "http://sts/token/create;
    const string certThumbprint = "mythumbprint";
    const string authCookieName = "StsAuth";

    var federationConfiguration = new FederationConfiguration();
                             federationConfiguration.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(allowedAudience));

    var issuingAuthority = new IssuingAuthority(internalSts);
    issuingAuthority.Thumbprints.Add(certThumbprint);
    issuingAuthority.Issuers.Add(internalSts);
    var issuingAuthorities = new List<IssuingAuthority> {issuingAuthority};

    var validatingIssuerNameRegistry = new ValidatingIssuerNameRegistry {IssuingAuthorities = issuingAuthorities};
    federationConfiguration.IdentityConfiguration.IssuerNameRegistry = validatingIssuerNameRegistry;
    federationConfiguration.IdentityConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;

    var chunkedCookieHandler = new ChunkedCookieHandler {RequireSsl = false, Name = authCookieName, Domain = domain, PersistentSessionLifetime = new TimeSpan(0, 0, 30, 0)};
    federationConfiguration.CookieHandler = chunkedCookieHandler;
    federationConfiguration.WsFederationConfiguration.Issuer = issuer;
    federationConfiguration.WsFederationConfiguration.Realm = rpRealm;
    federationConfiguration.WsFederationConfiguration.RequireHttps = requireSsl;

    e.FederationConfiguration = federationConfiguration;

Upvotes: 2

Related Questions