Implementing ASP.NET web with WIF & ADFS 1.0 - wif

I have developed a solution with ASP.NET front-end using WCF-services as back-end. The web-site currently authenticates using ADFS 1.0 (I do not have any control of the ADFS-implementation but it has been configured for my web-application). Also, it's no option to upgrade to ADFS 2.0 (at least not in the near future)
The configuration in Web.config for this is the following:
<httpModules>
<add name="Identity Federation Services Application Authentication Module" type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule, System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />
</httpModules>
<membership defaultProvider="SingleSignOnMembershipProvider2">
<providers>
<add name="SingleSignOnMembershipProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://urltoadfs/adfs/fs/FederationServerService.asmx" />
</providers>
</membership>
<websso>
<authenticationrequired />
<urls>
<returnurl>https://myapplication/</returnurl>
</urls>
<fs>https://urltoadfs/adfs/fs/FederationServerService.asmx</fs>
<isSharePoint />
</websso>
This works fine and i can access the application using an account in ADFS. The problem is that I need to convert this claim-identity to a WindowsIdentity to access the back-end WCF services (they use Windows Authentication with impersonation/delegation).
Is there any way to accomplish this with ADFS 1.0? I have tried to use WIF (Windows Identity Foundation) but I cannot find any clear information if it's possible to use it together with ADFS 1.0 as STS. I have also investigated the "Windows NT token-based applications"-option (http://technet.microsoft.com/en-us/library/cc784956(v=ws.10).aspx) but I would like to avoid changes in the current ADFS-implementation if possible.
To test the WIF-option I used the following configuration in Web.config (the part on websso removed):
<httpModules>
<add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
<add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<add name="ClaimsAuthorizationModule" type="Microsoft.IdentityModel.Web.ClaimsAuthorizationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</httpModules>
<microsoft.identityModel>
<service>
<audienceUris>
<add value="https://myapplication/" />
</audienceUris>
<applicationService>
<claimTypeRequired>
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" optional="true" />
</claimTypeRequired>
</applicationService>
<securityTokenHandlers>
<add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" />
</add>
</securityTokenHandlers>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true"
issuer="https://urltoadfs/adfs/fs/FederationServerService.asmx"
realm="https://myapplication/"
requireHttps="true" />
</federatedAuthentication>
</service>
</microsoft.identityModel>
I also have the "Claims to Windows Token Service" (c2WTS) running on the web-server.
I get redirected to the ADFS-server but I just receives a general error from the server.

Related

Sitecore 7.5 to other MVC Solution

I am trying to add sitecore to an existing solution where we already have an MVC Application.Now after adding Sitecore,I will make sitecore as start up project and add the reference of existing MVC Application as a reference to Sitecore MVC Application.
Since the existing application was using 4.5.1 and MVC 5.2.3,I am also using the same for my sitecore application.But the existing MVC application is using below:
1. System.Web.Http (Version:5.2.3.0)
2. System.Web.Http.WebHost (Version:5.2.3.0)
3. System.Net.Http.Formatting (Version:5.2.3.0)
So can I use the same for Sitecore?.If yes then I will have to Modify Web Config
From:
<compilation defaultLanguage="c#" debug="false" targetFramework="4.5.1">
<assemblies>
<add assembly="System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Data.Linq, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<add assembly="System.Web.Helpers, Version=3.0.0.0, Culture=neutral,PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.Mvc, Version=5.2.3.0, Culture=neutral,PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.WebPages, Version=3.0.0.0, Culture=neutral,PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral,PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.Http, Version=5.1.0.0, Culture=neutral,PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.Http.WebHost, Version=5.1.0.0, Culture=neutral,PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Net.Http.Formatting, Version=5.1.0.0, Culture=neutral,PublicKeyToken=31BF3856AD364E35" />
</assemblies>
</compilation>
To:
<compilation defaultLanguage="c#" debug="false" targetFramework="4.5.1">
<assemblies>
<add assembly="System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Data.Linq, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<add assembly="System.Web.Helpers, Version=3.0.0.0, Culture=neutral,PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.Mvc, Version=5.2.3.0, Culture=neutral,PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.WebPages, Version=3.0.0.0, Culture=neutral,PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral,PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.Http, Version=5.2.3.0, Culture=neutral,PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.Http.WebHost, Version=5.2.3.0, Culture=neutral,PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Net.Http.Formatting, Version=5.2.3.0, Culture=neutral,PublicKeyToken=31BF3856AD364E35" />
</assemblies>
</compilation>
Is this change fine?.Please suggest.
Instead of adding Sitecore to your solution you should probably look at it the other way around I.e getting your Mvc application to work in Sitecore.
You shouldn't really change the assembly versions Sitecore is using and you should try to get your Mvc application to work with Sitecore. You can't 100% guarantee that Sitecore will work using higher or lower versions of assemblies that it needs. Whereas with your Mvc solution (I'm assuming you have the source code) you can always try to modify this to work with Sitecore.
Verified with sitecore support and they confirmed that all the above changes are fine.

Redirecting Users from Unauthorized Page

I have an MVC application that I recently converted the authentication/authorization method from forms to federated. Everything works fine, but on the home page I have to create a cookie for the authorization of the rest of my site to work properly. When users navigate to the home page first it works great, if they navigate to a different page first where authorization is required they get a 401 unauthorized error page.
When I had the forms authentication implemented it would redirect users that were unauthorized to the login page, with federation I no longer have a login page so I would like to redirect to the home page. With forms authentication the redirection was automatic, how would I setup something similar for my federated application?
Here are the federated portions of my web.config that are relevant. Again, federated authentication/authorization works, just the unauthorized redirect that isn't.
<system.web>
<customErrors mode="Off"/>
<authentication mode="None"/>
<authorization>
<deny users="?"/>
</authorization>
<membership defaultProvider="ADMembershipProvider">
<providers>
<add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionProtection="Secure" attributeMapUsername="sAMAccountName" connectionStringName="ADConn" connectionUsername="UName" connectionPassword="Pass" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="ActiveDirectoryRoleProvider" cacheRolesInCookie="true" cookieName=".ADLibraryROLES" cookiePath="/" cookieTimeout="1440" cookieRequireSSL="false" cookieSlidingExpiration="true" createPersistentCookie="true" cookieProtection="All">
<providers>
<clear />
<add name="ActiveDirectoryRoleProvider" connectionStringName="ADConn" connectionUsername="UName" connectionPassword="Pass" attributeMapUsername="sAMAccountName" type="MyApp.ActiveDirectoryRoleProvider" />
</providers>
</roleManager>
</system.web>
<system.webServer>
<modules>
<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler"/>
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler"/>
</modules>
</system.webServer>
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://fed.example.com/"/>
</audienceUris>
<securityTokenHandlers>
<add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
</securityTokenHandlers>
<certificateValidation certificateValidationMode="None"/>
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://myfedservice.example.com/adfs/services/trust">
<keys>
<add thumbprint="mythumb"/>
</keys>
<validIssuers>
<add name="http://fed.example.com/adfs/services/trust"/>
</validIssuers>
</authority>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="true"/>
<wsFederation passiveRedirectEnabled="true" issuer="https://fed.example.com/adfs/ls/" realm="https://fed.example.com/" reply="https://fed.example.com/" requireHttps="true" persistentCookiesOnPassiveRedirects="true"/>
</federationConfiguration>
</system.identityModel.services>
You can configure this in the wsFederation section, see MSDN for further details. By setting the “passiveRedirectEnabled” to true, the WSFederationAuthenticationModule will look at all outgoing responses, trying to find HTTP 401s. If it finds a 401, it will modify the response and turn it into a redirect to the STS. Please note that in production you want to change requireHttps to true.
<system.identityModel.services>
<federationConfiguration>
<wsFederation passiveRedirectEnabled="true"
issuer="http://localhost:15839/wsFederationSTS/Issue"
realm="http://localhost:50969/" reply="http://localhost:50969/"
requireHttps="false"
signOutReply="http://localhost:50969/SignedOutPage.html"
signOutQueryString="Param1=value2&Param2=value2"
persistentCookiesOnPassiveRedirects="true" />
<cookieHandler requireSsl="false" />
</federationConfiguration>
Please note that you also need to add these modules:
<modules>
<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
</modules>
and the following config sections:
<configSections>
<!-- For more information on Entity Framework configuration, visit http://go.microsoft.com/fwlink/?LinkID=237468 -->
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />

UserManager and organizational accounts - cannot connect to the database ( mvc 5)

Got the following problem:
I've created simple mvc 5 project with individual user accounts authentication.
Everything works i can add users,roles,everything is stored in the database - all seems to be fine. Now i want to change authetication to organisational:
<system.webServer>
<modules>
<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
</modules>
</system.webServer>
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="myUrl" />
</audienceUris>
<securityTokenHandlers>
<remove type="System.IdentityModel.Tokens.SamlSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<add type="System.IdentityModel.Tokens.SamlSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<samlSecurityTokenRequirement>
<nameClaimType value="myClaim"/>
</samlSecurityTokenRequirement>
</add>
</securityTokenHandlers>
<certificateValidation certificateValidationMode="None" />
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="mySts">
<keys>
<add thumbprint="myThumb" />
</keys>
<validIssuers>
<add name="mySts" />
</validIssuers>
</authority>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="true" />
<wsFederation passiveRedirectEnabled="true" issuer="mySTs" realm="myUrl" requireHttps="true" />
</federationConfiguration>
</system.identityModel.services>
It works - i can authenticate,but when i want to add new user (based on User.Identity.Name to my existing database:
UserManager.CreateAsync(user);
I get weird error:
A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 50 - Local Database Runtime error occurred. Cannot create an automatic instance. See the Windows Application event log for error details.)
although i didn't change anything in connection,dbcontext and so on.
What could be a reason of such behavior?
Something seems to be missed in your web.config file. Try to add connectionStrings to your web.config by editing the code below according to your database and connection properties:
web.config:
<configuration>
<add name="DefaultConnection" providerName="System.Data.SqlClient" connectionString="Data Source=(localdb)\v11.0;
Initial Catalog=aspnet-YourDatabaseName; Integrated Security=SSPI; AttachDBFilename=|DataDirectory|\aspnet-YourDatabaseName.mdf" />

Obtain token in JWT format from a custom Sts

I have implemented a custom STS and it works good with Saml token.
Now I need to obtain the token in JWT format, because I need to pass it later to WCF Rest based service.
I've installed the Jwt Token Handler from:
https://nuget.org/packages/System.IdentityModel.Tokens.Jwt/
This is a part of the Web.config in the Sts project:
<securityTokenHandlers name="ActAs">
<clear/>
<add type="System.IdentityModel.Tokens.JwtSecurityTokenHandler, System.IdentityModel.Tokens.Jwt"/>
<!--<add type="System.IdentityModel.Tokens.SamlSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<add type="System.IdentityModel.Tokens.Saml2SecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />-->
<securityTokenHandlerConfiguration>
<audienceUris>
<add value="URL_RP_STS"/>
<add value="URL_CLIENT"/>
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089">
<trustedIssuers>
<add thumbprint="..." name="StsCustom" />
</trustedIssuers>
</issuerNameRegistry>
</securityTokenHandlerConfiguration>
</securityTokenHandlers>
<audienceUris>
<add value="URL_RP_STS" />
</audienceUris>
<!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
<certificateValidation certificateValidationMode="None" />
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="StsCustom">
<keys>
<add thumbprint="..." />
</keys>
<validIssuers>
<add name="StsCustom" />
</validIssuers>
</authority>
</issuerNameRegistry>
</identityConfiguration>
But the Sts continue to generate a SamlSecurityToken.
Is necessary some other configuration to set a specific token type? Is not suffice adding the Jwt token handler in the securityTokenHandlers section?
Thanks
How do you request the token? In WS-Trust you can pass in the token type in the RST. For WS-Federation you need to write code in the STS for that.

Developing ASP.NET MVC using MonoDevelop on MAC

I am developing a web app using ASP.NET MVC 2.0 in MonoDevelop. I have latest Mono 2.10 and MonoDevelop 2.4.2 and I am running them on Mac.
According to mono’s release notes, it should support ASP.NET MVC 2.0. However, I found MonoDevelop’s project templates still only support ASP.NET MVC 1.0. So I had to create MVC project from MonoDevelop and remove system.web.mvc 1.0.0.0 from reference and add system.web.mvc 2.0.0.0 back in. I can write and compile code OK and MonoDevelop does provide intellisense for methods only exist in MVC 2.0 from both C# and aspx file. However, when I trying to run it from MonoDevelop, I had Compilation error complaining ”<%: Html.LabelFor(model => model.Name) %>” as LabelFor method cannot be recognized .
MonoDevelop uses XSP as its testing web server. I am not sure how it configured as I didn’t install it myself. I think it was installed as part of MonoDevelop. My guess is XSP somehow still uses MVC 1.0 but I can't prove it as I couldn’t even find where it is installed.
Could anyone help me out please?
Update:
I have been suspecting web.config too. Here are how they look like now:
web.config
<configuration>
<system.web>
<compilation defaultLanguage="C#" debug="true">
<assemblies>
<add assembly="System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<add assembly="System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<add assembly="System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</assemblies>
</compilation>
<customErrors mode="RemoteOnly">
</customErrors>
<pages>
<namespaces>
<add namespace="System.Web.Mvc" />
<add namespace="System.Web.Mvc.Ajax" />
<add namespace="System.Web.Mvc.Html" />
<add namespace="System.Web.Routing" />
</namespaces>
</pages>
<authorization>
<allow users="*" />
</authorization>
web.config under views
<configuration>
<system.web>
<httpHandlers>
<add path="*" verb="*" type="System.Web.HttpNotFoundHandler" />
</httpHandlers>
<pages validateRequest="false" pageParserFilterType="System.Web.Mvc.ViewTypeParserFilter, System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
pageBaseType="System.Web.Mvc.ViewPage, System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
userControlBaseType="System.Web.Mvc.ViewUserControl, System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
<controls>
<add assembly="System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
namespace="System.Web.Mvc" tagPrefix="mvc" />
</controls>
</pages>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<remove name="BlockViewHandler" />
<add name="BlockViewHandler" path="*" verb="*" preCondition="integratedMode" type="System.Web.HttpNotFoundHandler" />
</handlers>
</system.webServer>
Setting up an ASP.NET project for ASP.NET MVC requires changing and adding a load of settings in web.config. The project template in MD is for ASP.NET MVC 1.0, not ASP.NET MVC 2, so you're probably missing some of the necessary settings, maybe a namespace import.
I have this running with two of my current projects on MacOS X. There were only three steps I needed to make sure were done, they are as follows:
Upgrade the version on all references in both the inner (views) web config and the outter(app) [you've done this].
Dereference System.Web.MVC 1.0.0.0 & Reference 2.0.0.0 for the project
Ensure you don't have 1.0.0.0 binaries in your bin path, the public key does not change
I've done a downloadable zip file of a project template for Asp.Net MVC 4 which builds and runs on/in Mono/Xamarin Studio/MonoDevelop on Mac & Linux at http://www.cafe-encounter.net/p1319/run-asp-net-mvc4-on-mono-monodevelop-on-mac-the-c-template-project.
I should add that a lot of the issue resolution came from Does the Razor View Engine work for Mono?

Resources