Leverage Campus’ Security Token Service for Authentication and SSO

Many web applications provided by Campus Management have started using Custom Security Token Services (STS) for authentication. Authentication is no longer responsibility of these applications but these web apps are relying on STS to deal with authentication. Custom STS built by Campus Management are built on top of Windows Identity Foundation (WIF) and has Single Sign On (SSO) functionality built in. The SSO functionality of Custom STS will allow any web application relying upon the same STS to have SSO between them. These web applications can be one of Campus Management’s web application or it can be custom web application developed by Integration Services or even clients. This post will show how your custom web application can leverage STS provided by Campus Management for authentication.

What is STS?

A security token service (STS) is the service component that builds, signs, and issues security tokens according to the WS-Trust and WS-Federation protocols.  It is possible to use a cloud STS such as a LiveID STS, a pre-built STS such as Active Directory® Federation Services (AD FS) 2.0, or if you want to issue custom tokens or provide custom authentication or authorization, you can build your own custom STS using WIF.  There are 3 main components in typical federated authentication scenario. Following diagram shows relation between them:

ClaimsAwareApp

  1. The Web Application is a claims aware Web Application with trust established on STS. This Web App will use WIF to identify and route unauthenticated requests to STS.
  2. End user will provide credentials to the STS and STS will authenticate the user
  3. Upon successful authentication STS will generate a token for the user
  4. The user is then redirected to claims-aware Web App with token. The Web App will use WIF to validate the token and to parse it.

Beginning with .NET 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework.  Having the WIF classes directly available in the framework itself allows a much deeper integration of claims-based identity in the .NET platform, making it easier to use claims.

Following sections and reference links show what you need to do to make your existing application work with STS (i.e., claims aware) and how you can build a new claims aware application.

Configure ASP.NET MVC Application for Claims-Based Authentication

In 6 steps below, you will add configuration entries to the Web.config file of your ASP.NET MVC web application to make it claims-aware. The same Web.config changes can be applied to other type of .Net Web Applications as well.

  1. Add the following configuration section definitions to the Web.config configuration file. These define configuration sections required by Windows Identity Foundation. Add the definitions immediately after the <configuration> opening element:

  1. Add a <location> element that enables access to the application’s federation metadata:

  1. Add the following configuration entries within the <system.web> elements to deny users, disable native authentication, and enable WIF to manage authentication:

  1. Add the following Windows Identity Foundation related configuration entries and ensure that your ASP.NET application’s URL and port number match the values in the <audienceUris> entry, realm attribute of the <wsFederation> element, and the reply attribute of the <wsFederation> element. Also, ensure that the issuer value fits your Security Token Service (STS) URL.

  1. Add reference to the [System.IdentityModel] assembly (Version: 4.0.0.0).
  2. Compile and Test: Compile the solution to make sure there are no errors.

Integrate application specific logic or claim

Once you receive a valid token back from STS you may want to do some additional authorization or populate other application specific claims. There are many events available for supplementing application specific logic. Following 2 events can be used to add application specific claim or do any particular cleanup when signing out.

References

How To Build Claims-Aware from MSDN: http://msdn.microsoft.com/en-us/library/hh291061.aspx

WIF 4.0: http://msdn.microsoft.com/en-us/library/hh291061.aspx

Sample Code

Download Check out code samples for a Web Application utilizing WIF 4.5 to connect to Custom STS.  You will have to modify URLs according to your environment to use this application

-tushar ~tas

Leave a Reply

Skip to toolbar