Question:
Again talking about ASP.NET Identity . There is another theme within this same subject that I believe is of great importance to the community (especially for me, the main stakeholder). It is Windows Identity Foundation (WIF).
What it is? What would be a basic example of deployment for teaching purposes only?
Answer:
Good I think that for a good connoisseur, it is not enough to just translate something from MSDN or Wikipedia, Explanatory Material here .
Windows Identity Foundation (WIF) is Microsoft's software framework for building "Identity-aware" applications. It provides APIs for building ASP.NET or WCF based security token services, as well as tools for building claims-aware-capable applications.
Claim-aware is a common way for applications to get information about who is logging in (Identity) within the corporation, or even on the Internet. It also provides a pretty solid approach for applications running on intranet or internet. Authentication with STS works by issuing a token by an identity certification agent. Read about STS here
An example of authentication with STS is on this site: Nfp SP with accessing with digital certificate option.
Now that you are in context, time to get your hands dirty.
To develop an application with STS authentication, you first need a server that is digitally signed so that it can issue its token. Then you need to add this certificate to your TrustedIssuer List (example here )
After all this it is necessary to implement an authentication based on Windows Federated Authentication. It is very common to use smartcards for this, just entering your PIN number and unlocking access to the application. Ah, the Card in turn needs to be made by a reliable agency, For example, the official press.
The example I will use is using an application written in ASP.NET MVC authenticating by WIF.
public abstract class SecurityController : Controller
{
// Fields
private IdentitySection _identityConfig;
// Methods
[AcceptVerbs(HttpVerbs.Post), ValidateInput(false), AllowAnonymous]
protected ActionResult ProcessToken()
{
var wSFederationAuthenticationModule = FederatedAuthentication.WSFederationAuthenticationModule;
string str = null;
if (wSFederationAuthenticationModule.CanReadSignInResponse(System.Web.HttpContext.Current.Request, true))
{
str = System.Web.HttpContext.Current.Request.Form["wctx"];
}
return new RedirectResult(str ?? wSFederationAuthenticationModule.Reply);
}
[AllowAnonymous]
public ActionResult SignIn(string issuer)
{
var wSFederationAuthenticationModule = FederatedAuthentication.WSFederationAuthenticationModule;
string str = null;
if (!base.User.Identity.IsAuthenticated)
{
str =
new SignInRequestMessage(new Uri(string.IsNullOrEmpty(issuer) ? wSFederationAuthenticationModule.Issuer : issuer),
wSFederationAuthenticationModule.Realm, wSFederationAuthenticationModule.Reply).WriteQueryString();
}
return new RedirectResult(str ?? wSFederationAuthenticationModule.Reply);
}
public ActionResult SignOut()
{
var wSFederationAuthenticationModule = FederatedAuthentication.WSFederationAuthenticationModule;
if (base.User.Identity.IsAuthenticated)
{
wSFederationAuthenticationModule.SignOut(false);
}
return new RedirectResult(wSFederationAuthenticationModule.Reply);
}
// Properties
protected IdentitySection IdentityConfig
{
get
{
return (this._identityConfig ?? (this._identityConfig = (IdentitySection)ConfigurationManager.GetSection("federatedMvc.identity")));
}
}
}
federatedMvc.identity é uma seção do seu Web.Config que conterá suas chaves de segurança para o seu servidor STS.
For example:
<federatedMvc.identity securityController="Seguranca">
<authenticationUris>
<add type="Certificate" uri="https://CapsuleCorp/Identity.STS.Certificado/Login.aspx" />
</authenticationUris>
</federatedMvc.identity>
Then you need to add the <microsoft.identityModel> section in your web.config as well. and then point out the necessary items as an example:
<service>
<audienceUris>
<add value="http://CapsuleCorp.com/FindDragonBalls" />
</audienceUris>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="false" persistentCookiesOnPassiveRedirects="false"
issuer="https://CapsuleCorp.com/Identity.STS.Certificado/Login.aspx"
realm="http://CapsuleCorp.com/realm" reply="http://CapsuleCorp.com/home" requireHttps="false" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
<certificateValidation certificateValidationMode="None" revocationMode="NoCheck" />
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add name="CN=CapsuleCert" thumbprint="89cf12ef1f36a9bacaa4e813a44bb699bb46c359" />
</trustedIssuers>
</issuerNameRegistry>
</service>
after that you can consult all the claims returned by the claim service, deny access or redirect somewhere, then the sky will be the limit. And with that, based on each claim, you will be able to direct your efforts, do not hesitate to ask any questions.