Skip to content

Latest commit

 

History

History
115 lines (71 loc) · 6.39 KB

ws-federation.md

File metadata and controls

115 lines (71 loc) · 6.39 KB
Raw
title author description ms.author ms.custom ms.date uid
Authenticate users with WS-Federation in ASP.NET Core
chlowell
This tutorial demonstrates how to use WS-Federation in an ASP.NET Core app.
wpickett
mvc
01/16/2019
security/authentication/ws-federation

Authenticate users with WS-Federation in ASP.NET Core

This tutorial demonstrates how to enable users to sign in with a WS-Federation authentication provider like Active Directory Federation Services (ADFS) or Microsoft Entra ID. It uses the ASP.NET Core sample app described in Facebook, Google, and external provider authentication.

For ASP.NET Core apps, WS-Federation support is provided by Microsoft.AspNetCore.Authentication.WsFederation. This component is ported from Microsoft.Owin.Security.WsFederation and shares many of that component's mechanics. However, the components differ in a couple of important ways.

By default, the new middleware:

  • Doesn't allow unsolicited logins. This feature of the WS-Federation protocol is vulnerable to XSRF attacks. However, it can be enabled with the AllowUnsolicitedLogins option.
  • Doesn't check every form post for sign-in messages. Only requests to the CallbackPath are checked for sign-ins. CallbackPath defaults to /signin-wsfed but can be changed via the inherited xref:Microsoft.AspNetCore.Authentication.RemoteAuthenticationOptions.CallbackPath%2A?displayProperty=nameWithType property of the xref:Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions class. This path can be shared with other authentication providers by enabling the xref:Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.SkipUnrecognizedRequests%2A option.

Register the app with Active Directory

Active Directory Federation Services

  • Open the server's Add Relying Party Trust Wizard from the ADFS Management console:

Add Relying Party Trust Wizard: Welcome

  • Choose to enter data manually:

Add Relying Party Trust Wizard: Select Data Source

Add Relying Party Trust Wizard: Configure Certificate

  • Enable support for WS-Federation Passive protocol, using the app's URL. Verify the port is correct for the app:

Add Relying Party Trust Wizard: Configure URL

Note

This must be an HTTPS URL. IIS Express can provide a self-signed certificate when hosting the app during development. Kestrel requires manual certificate configuration. See the Kestrel documentation for more details.

  • Click Next through the rest of the wizard and Close at the end.

  • ASP.NET Core Identity requires a Name ID claim. Add one from the Edit Claim Rules dialog:

Edit Claim Rules

  • In the Add Transform Claim Rule Wizard, leave the default Send LDAP Attributes as Claims template selected, and click Next. Add a rule mapping the SAM-Account-Name LDAP attribute to the Name ID outgoing claim:

Add Transform Claim Rule Wizard: Configure Claim Rule

  • Click Finish > OK in the Edit Claim Rules window.

Microsoft Entra ID

  • Navigate to the Microsoft Entra ID tenant's app registrations blade. Click New application registration:

Microsoft Entra ID: App registrations

  • Enter a name for the app registration. This isn't important to the ASP.NET Core app.
  • Enter the URL the app listens on as the Sign-on URL:

Microsoft Entra ID: Create app registration

  • Click Endpoints and note the Federation Metadata Document URL. This is the WS-Federation middleware's MetadataAddress:

Microsoft Entra ID: Endpoints

  • Navigate to the new app registration. Click Expose an API. Click Application ID URI Set > Save. Make note of the Application ID URI. This is the WS-Federation middleware's Wtrealm:

Microsoft Entra ID: App registration properties

Use WS-Federation without ASP.NET Core Identity

The WS-Federation middleware can be used without Identity. For example: :::moniker range=">= aspnetcore-3.0" [!code-csharp] :::moniker-end

:::moniker range=">= aspnetcore-2.1 < aspnetcore-3.0" [!code-csharp] :::moniker-end

Add WS-Federation as an external login provider for ASP.NET Core Identity

:::moniker range=">= aspnetcore-3.0" [!code-csharp] :::moniker-end

:::moniker range=">= aspnetcore-2.1 < aspnetcore-3.0" [!code-csharp] :::moniker-end

[!INCLUDE default settings configuration]

Log in with WS-Federation

Browse to the app and click the Log in link in the nav header. There's an option to log in with WsFederation: Log in page

With ADFS as the provider, the button redirects to an ADFS sign-in page: ADFS sign-in page

With Microsoft Entra ID as the provider, the button redirects to a Microsoft Entra ID sign-in page: Microsoft Entra ID sign-in page

A successful sign-in for a new user redirects to the app's user registration page: Register page