I recently had the task to find out how to mix ASP.NET Forms Authentication with WIF’s
WS-Federation. The FormsAuth app did already exist, and a new sub-directory of this
application should use ADFS for authentication. Minimum changes to the existing application
code would be a plus ;)
Since the application is using ASP.NET MVC this was quite easy to accomplish – WebForms
would be a little harder, but still doable. I will discuss the MVC solution here.
To solve this problem, I made the following changes to the standard MVC internet application
template:
Added WIF’s WSFederationAuthenticationModule and SessionAuthenticationModule to
the modules section.
Add a WIF configuration section to configure the trust with ADFS.
Added a new authorization attribute. This attribute will go on controller that demand
ADFS (or STS in general) authentication.
The attribute logic is quite simple – it checks for authenticated users – and additionally
that the authentication type is set to Federation. If that’s the case all
is good, if not, the redirect to the STS will be triggered.
public class RequireTokenAuthenticationAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext.User.Identity.IsAuthenticated
&&
httpContext.User.Identity.AuthenticationType.Equals(
WIF.AuthenticationTypes.Federation, StringComparison.OrdinalIgnoreCase))
{
return true;
}
return false;
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
//
do the redirect to the STS
var message
= FederatedAuthentication.WSFederationAuthenticationModule.CreateSignInRequest(
"passive",
filterContext.HttpContext.Request.RawUrl,
false);
filterContext.Result = new RedirectResult(message.RequestUrl);
}
}
That’s it ;) If you want to know why this works (and a possible gotcha) – read my
next post.
