共用方式為


Windows Identity Foundation 101’s : WS-Federation Passive Requestor Profile (part 1 of 2)

Background

It is becoming more commonplace for the means of authenticating a user to be externalized away from the content provider. In federation parlance the content provider is known as the Relying Party (RP) and is so named because it is reliant upon an external entity for authentication, that entity being known as the Identity Provider (IdP). The diagram below depicts this relationship where the RP and IdP are separate entities linked by a trust relationship. i.e – the RP trusts that the IdP can correctly authenticate and assert information about the user (we might expect that the IdP is trusted by several other RP’s or that the RP trusts several IdP’s but this simplest of scenarios is a good starting point from which to evolve the discussion).

Simplest_4_02DA8180 

The steps towards giving a user access to the RP content are as follows:

  1. End user attempts to access the RP
  2. The RP has no knowledge of the user and instructs the client to send the user off to the IdP for authentication
  3. The user authenticates and the IdP instructs the client to send the user back to the RP with a token (generally comprised of XML but not exclusively so) representing the users identity
  4. The RP validates the token and gives access to the user

In this scenario the client application can either:

  • Simply route traffic between the RP/IdP with no modifications
    • This is a ‘passive’ client, a good example being a web browser executing GET/POST redirects
  • Compose the messages based upon metadata served up by the RP/IdP
    • This is an ‘active’ client, one example being an browser control that sends SOAP messages into the RP/IdP based upon the published policies

Here is a more comprehensive description of active and passive clients.

What follows is a demonstration of how WIF trivialises the effort required to mediate between RP/IdP using the WS-Federation passive profile.

You will need the following installed:

Create a simple Relying Party application for sending requests

1. Create an ASP.NET web application called WIFRelyingParty with the following attributes:

  • Accessible at https://localhost/WIFRelyingParty
  • Has a basic web page called Content.aspx
  • Has references to Microsoft.IdentityModel.dll and System.ServiceModel.dll
  • Has an assembly name and default namespace of ‘WIFRelyingParty’

2. In the Page_Load event handler for Content.aspx.cs, insert the following code (you will need to add the using directives yourself):

 // This is a new request
SignInRequestMessage mess = new SignInRequestMessage(
    new Uri("https://localhost/WIFIdentityProvider/Login.aspx"),
    "https://MyRealm", "https://localhost/WIFRelyingParty/Content.aspx");
 
HttpContext.Current.Response.Redirect(mess.WriteQueryString());
 
// You could also do this
// HttpContext.Current.Response.Write(mess.WriteFormPost());
// HttpContext.Current.Response.End();

 

As you can see, two lines of code are all it takes to create an industry standard request message and instruct the browser to perform a HTTP GET against the IdP (you could also POST). The parameters to the SignInRequestMessage constructor are as follows:

  • IdP endpoint– where the signin request is going
  • RP realm– identifies the RP to the IdP
  • Reply address– the url that the IdP should redirect the browser back to

Here is a snippet of what the IdP recieves:

 GET /WIFIdentityProvider/Login.aspx?wa=wsignin1.0&wtrealm=http%3a%2f%2fMyRealm&wreply=http%3a%2f%2flocalhost%2fWIFRelyingParty%2fContent.aspx HTTP/1.1

 

The set of query string parameters starting with ‘w’ are the means of conveying information from RP to IdP and vice versa. There are more than those shown in this example and I encourage you to read further if you want to find out more. I will however be introducing some of these parameters in later posts.

Create a simple Identity Provider application for processing requests

1. Create an ASP.NET web application called WIFIdentityProvider with the following attributes:

  • Accessible at https://localhost/WIFIdentityProvider
  • Has a basic web page called Login.aspx
  • Has references to Microsoft.IdentityModel.dll, System.IdentityModel.dll and System.ServiceModel.dll
  • Has an assembly name and default namespace of ‘WIFIdentityProvider’

2. Add a new class to the project called CustomSecurityTokenService.cs and overwrite it with the following code:

 namespace WIFIdentityProvider
{
    using Microsoft.IdentityModel.Claims;
    using Microsoft.IdentityModel.Configuration;
    using Microsoft.IdentityModel.Protocols.WSTrust;
    using Microsoft.IdentityModel.SecurityTokenService;
 
    public class CustomSecurityTokenService : SecurityTokenService
    {
        public CustomSecurityTokenService(SecurityTokenServiceConfiguration config)
            : base(config)
        {
        }
 
         // Returns information about the target of the token issuance
        protected override Scope GetScope(IClaimsPrincipal principal, RequestSecurityToken request)
        {
            Scope scope = new Scope(request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials);
            scope.TokenEncryptionRequired = false;
            scope.ReplyToAddress = request.ReplyTo;
            return scope;
        }
 
         // Returns an IClaimsIdentity implementation populated with claims about the user
        protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
        {
            return new ClaimsIdentity();
        }
    }
}

 

3. In the Page_Load event handler for Login.aspx.cs, insert the following code:

 

 protected void Page_Load(object sender, EventArgs e)
{
    string action = Request.QueryString[WSFederationConstants.Parameters.Action];
 
     // This check is not strictly necessary for a prototype but is good practice
    if (action == WSFederationConstants.Actions.SignIn)
    {
        SignInRequestMessage requestMessage = (SignInRequestMessage)WSFederationMessage.CreateFromUri(Request.Url);
        SecurityTokenService sts = new CustomSecurityTokenService(
            new SecurityTokenServiceConfiguration(
                “https://WIFIdentityProvider”,
                new X509SigningCredentials(GetCertificate(StoreName.My, StoreLocation.LocalMachine, "<certificate subject>"))));

        SignInResponseMessage responseMessage = 
            FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(requestMessage, User, sts);
 
        FederatedPassiveSecurityTokenServiceOperations.ProcessSignInResponse(responseMessage, Response);
    }
}

NB - You will need to add a certificate (public and private keys) to the local machine personal store and replace <certificate subject> with the correct name. You may also have to assign permissions to the private key of the cert for the identity that your website is running under.

4. Add the following helper method to Login.aspx.cs: 

 private static X509Certificate2 GetCertificate(StoreName name, StoreLocation location, string subjectName)
{
    X509Store store = new X509Store(name, location);
    X509Certificate2Collection certificates = null;
    store.Open(OpenFlags.ReadOnly);
 
    try
    {
        X509Certificate2 result = null;
        certificates = store.Certificates;
 
        for (int i = 0; i < certificates.Count; i++)
        {
            X509Certificate2 cert = certificates[i];
            if (cert.SubjectName.Name.ToLower() == subjectName.ToLower())
            {
                if (result != null)
                {
                    throw new ApplicationException(string.Format("There are multiple certificates for subject Name {0}", subjectName));
                }
 
                result = new X509Certificate2(cert);
            }
        }
 
        if (result == null)
        {
            throw new ApplicationException(string.Format("No certificate was found for subject Name {0}", subjectName));
        }
 
        return result;
    }
    finally
    {
        if (certificates != null)
        {
            for (int i = 0; i < certificates.Count; i++)
            {
                X509Certificate2 cert = certificates[i];
                cert.Reset();
            }
        }
 
        store.Close();
    }
}

OK, so what have we achieved? The only bits of real relevance are steps 2 and 3. In step 2 a custom Security Token Service (STS) has been created simply by deriving from the SecurityTokenService base class and overriding a couple of methods. The GetScope method allows us to define the certificate that will be used to sign the token (so that the RP can verify the token has not been tampered with and also that it is from the targeted IdP). It also allows us to define a certificate for encrypting the token (using the RP public key with the private key held at the RP for decryption) but I have set this property to false for now so that we can see the clear text token.

 

The GetOutputClaimsIdentity method is used to populate the outgoing token with information about the user. Each of these snippets of information is known as a claim. And finally we get to the point of this whole thing. WIF is all about claims, claims and more claims … claims about the user that will be used by the RP.

 

Finally, in step 3 the Page_Load event handler uses the custom STS to craft up a token and instructs the browser to redirect the browser back to the RP.

 

A common mistake

We now get to reap the fruits of our labour……. don’t we?

 

After browsing to https://WIFRelyingParty/Content.aspx, we get redirected to the IdP, authentication occurs (well kind of, more on that in later posts) and the resulting token is returned to the RP. The token looks like the following:

 

 image_2_02DA8180

“A SAMLAssertion requires at least one statement” ……………. What’s this!?

Ok I have been a bit naughty but I wanted to demonstrate an error I have hit time and time again when trying to shortcut prototypes. The clue as to why this occurs is in the SAML1.1 assertion schema, specifically the following:

image_4_02DA8180

The SAML assertion created by the IdP MUST contain at least one Attribute (i.e – a claim) and rather than WIF saying as much, it reports that the entire AttributeStatement is missing. Trust me, if you use WIF or ADFS v2 you WILL eventually get careless and hit this one.

The remedy is easy, just modify the GetOutputClaimsIdentity method to return something substantial like the following:

 protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
    ClaimsIdentity id = new ClaimsIdentity();
    id.Claims.Add(new Claim("IdP/Claim1", "Hello from the Idp"));
    return id;
}

 

Extend the Relying Party application to handle responses

1. Overwrite the contents of the Page_Load event handler for Content.aspx.cs with the following code:

 if (HttpContext.Current.Request.Form[WSFederationConstants.Parameters.Result] != null)
{
    // This is a response from the STS
    SignInResponseMessage mess = WSFederationMessage.CreateFromNameValueCollection(
        WSFederationMessage.GetBaseUrl(HttpContext.Current.Request.Url),
        HttpContext.Current.Request.Form) as SignInResponseMessage;
    string tokenXml = mess.Result;
}
else
{
    // This is a new request
    SignInRequestMessage mess = new SignInRequestMessage(
        new Uri("https://localhost/WIFIdentityProvider/Login.aspx"),
        "https://WIFRelyingParty", "https://localhost/WIFRelyingParty/Content.aspx");
    HttpContext.Current.Response.Redirect(mess.WriteQueryString());
 
    // You could also do this
    // HttpContext.Current.Response.Write(mess.WriteFormPost());
    // HttpContext.Current.Response.End();
}

Note that the code to create the initial request hasn’t changed, if has just been tidied away into the else statement.

The if statement checks that the Result property is populated with a response (Result => wresult in the GET/POST response, another of those ‘w’ parameters I mentioned earlier) and if so, the response is deserialized with a single line of code. We now have a token with which to determine authorisation to view the RP content.

Summary

This post demonstrates that it is possible, using WIF, to implement simple Relying Party (RP) and Identity Provider (IdP) applications using very few lines of code. It goes without saying that this is not production-ready code but it serves to highlight the important points.

Thus far this has all been achieved programmatically. However, in the true WCF spirit (upon which WIF is built) it is possible to achieve the same results using configuration and reduce even further the lines of custom code. In the next post I will be demonstrating this and also how we can tighten up the security of the RP/IdP applications.

 

 

Written by Bradley Cotier

Comments

  • Anonymous
    July 26, 2010
    cool..can't wait for the second part

  • Anonymous
    September 22, 2010
    Wonderful walkthrough. I liked part 2 either. Thanks for sharing.

  • Anonymous
    March 06, 2011
    Hi, I am getting the error message on the ADFS login screen. The scenario is pretty simple and common. I have a web application (Created in Visual Studio 2008 and this is not a replying party application) and from this, I am just posting user-id, user password and replying party application address to ADFS Login screen. Query-string approach is working fine but not the form post. Below is the code: SignInRequestMessage mess = new SignInRequestMessage(                new Uri("https://Testnordev003. Testclab2008.com/adfs/ls/"),                "https:// Testnordev003. Testclab2008.com/SampleRNDApplication/");            mess.SetParameter("UserID", "Test");            mess.SetParameter("UserPassword", "P@assw0rd");            // Post POC            HttpContext.Current.Response.Write(mess.WriteFormPost());            HttpContext.Current.Response.End(); Below are the settings in web.config (adfs/ls) of ADFS 2.0  <system.webServer>    <handlers>      <add name="BasicAuthHandler" path="auth/basic/" verb="" type="Microsoft.IdentityServer.Web.BasicEndpointHandler, Microsoft.IdentityServer, Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="integratedMode,runtimeVersionv2.0" />      <add name="PassiveProtocolHandler" path="/adfs/ls/" allowPathInfo="true" verb="" type="Microsoft.IdentityServer.Web.PassiveProtocolHandler, Microsoft.IdentityServer, Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="integratedMode,runtimeVersionv2.0" />      <add name="TlsAuthHandler" path="auth/sslClient/" verb="" type="Microsoft.IdentityServer.Web.TlsEndpointHandler, Microsoft.IdentityServer, Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="integratedMode,runtimeVersionv2.0" />      <add name="WindowsAuthHandler" path="auth/integrated/" verb="" type="Microsoft.IdentityServer.Web.WindowsEndpointHandler, Microsoft.IdentityServer, Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="integratedMode,runtimeVersionv2.0" />    </handlers>    <validation validateIntegratedModeConfiguration="false" />  </system.webServer>  <microsoft.identityServer.web>    <localAuthenticationTypes>       <add name="Forms" page="FormsSignIn.aspx" />      <add name="Integrated" page="auth/integrated/" />      <add name="TlsClient" page="auth/sslclient/" />      <add name="Basic" page="auth/basic/" />    </localAuthenticationTypes>    <commonDomainCookie writer="" reader="" />    <context hidden="true" />    <error page="Error.aspx" />     <acceptedFederationProtocols saml="true" wsFederation="true" />    <homeRealmDiscovery page="HomeRealmDiscovery.aspx" />    <persistIdentityProviderInformation enabled="true" lifetimeInDays="30" />    <singleSignOn enabled="true" />  </microsoft.identityServer.web> Please share your views and thanks a lot in advance.

  • Anonymous
    March 06, 2011
    This is error message MSIS7000: The sign in request is not compliant to the WS-Federation language for web browser clients or the SAML 2.0 protocol WebSSO profile.

  • Anonymous
    March 27, 2011
    Hi ADFS v2 does not support WS-Federation POST sign-in, only GET. Regards Brad

  • Anonymous
    April 02, 2011
    Thanks Brad. Can you please provide some other approach? I have to post user-id and password to adfs login screen using simple ASP.NET application (created in visual studio 2008 and application is not a replying party). Do I have to change some settings in the above mentioned web.config file? Thanks a lot !!!

  • Anonymous
    April 03, 2011
    Hi What I have described in this article is a passive protocol. This means the users browser is redirected away from the originating (your) website to an authentication website that hosts the login page. The user then enters their credentials and, upon successful authentication, the browser is redirected back to the originating website with a token. The key point is that the originating website does not embed the users credentials in the browser redirect, as you have attempted to do above. In fact the originating website nevers sees the users credentials at all because the browser is positioned at the authentication website when the user enters their credentials. You can achieve this same effect by doing what I have done above and simply substituting ADFS in as the Identity Provider. When ADFS receives the browser redirect POST it will pick up that the user is not logged in (i.e. - no cookie exists) and present a login page. Also, to make your life a little easier I wrote a subsequent post where all of this is done through config with no custom code at all: blogs.msdn.com/.../windows-identity-foundation-101-s-ws-federation-passive-requestor-profile-part-2-of-2.aspx However. if you need the originating website to harvest the users credentials and present them to ADFS then you have to employ an active protocol. In an active protocol (for a website) the browser never leaves the website but instead the website performs a POST to ADFS. This will require you to create a WCF client that is capable of making calls to ADFS. Here is an example for userid/password authentication: blogs.southworks.net/.../getting-a-token-from-adfs-ex-geneva-server-using-wcf Hope this makes sense. Brad