共用方式為

Integrating Forms Authentication and Federated Security

  • 發行項

Here I have talked about a technique to flow Forms Authentication cookie to a WCF service and using it as an authentication credential for the service.  For this to work – service must be running in ASP.net compatibility mode and Forms Authentication must be configured in web.config.

Here is diagrammatic view of a simple case.

In the above diagram, website authenticates users using Forms authentication, which creates a cookie after successful authentication. When ASP.net sites calls the backend service (in response to users action) – it simply passes the Form Auth cookie as part of the call. Now because our service is running in asp.net compatibility mode and Forms Authentication module is also configured in web.config, cookie will successfully be validated and we will see correct identity in the HttpContext.User

Looking good so far. Yes?

I think, this is acceptable when you only have one to two services – however when we talk about SOA – we generally mean larger number of services and this is where this approach becomes clunky primarily due to following two reasons:

· Every service MUST run under asp.net compatibility mode, which is slower than the default native mode. So you incur some performance plenty.

· For the cookie flow to work, both participants MUST use the same <machineKey>.  As your share single key among more and more participants – the overall security of solution is getting weaker as key will be duplicated across many places.

So there are some scalability & security issues in the above architecture.

 Let’s see how we can improve this architecture by introducing an STS into picture. The goal here is to extract the authentication mechanism (FormsAuth cookie based) out of the services and move it to STS. Service will simply require a token from STS – it is STS’s responsibility to authenticate user using some mechanism (Forms Auth being the step one).

Here you can see ONLY STS is running in asp.net compatibility mode and services are running under native mode which will result in better performance.

Also now we are only sharing keys (<machineKey>) between two participants (STS  & Website) regardless of the number of services. Services are simply configured to require a SAML token from the STS and are agnostic to the actual client authentication mechanism. We can easily change cookie based authentication with Kerberos without impacting services at all.

Now Step 1 isn’t really possible out of box – why?

Because it’s the wsFederationHttpBinding, which talks to STS rather your proxy (configured to use wsFederationHttpBinding). So setting cookie on the proxy will NOT send it to STS and the solution is to extend WCF security framework to enable cookie flow to the STS.

In the next post, I will show how to implement Step 1 while still leveraging wsFederationHttpBinding. For now please see this post for background.

Originally posted by Zulfiqar on the 15h of April 2009 here.

Comments

  • Anonymous
    April 22, 2009
    PingBack from http://microsoft-sharepoint.simplynetdev.com/integrating-forms-authentication-and-federated-security/

  • Anonymous
    April 24, 2009
    Just a question regarding the flow during the authentication: Why would you authenticate against the ASP.NET app, and then pass this authentication token to a STS, which gives you a second token? Wouldn't you directly authenticate against the STS (no need to run in ASP.NET compat), and use this token for the service calls? You need two authentication stores in your example, which makes limited sense.

  • Anonymous
    April 24, 2009
    This is for a scenario where web app is already using forms auth and now it needs to call few backend services - some of them requires end user's identity to function. The simplest approach would be to flow the cookie from web app to all the services but this has manageablility/perf/security issues etc. STS doesn't require it's own user store. It authenticates caller by simply validating the Forms Auth cookie. I agree, where possible authenticating should directly be done against STS(for example, by using Geneva Framework). You can find examples regarding this on my blog.