Once again talking about ASP.NET Identity . There is another theme within the same subject that I believe to be of great importance to the community (especially to me, the main stakeholder). This is Windows Identity Foundation (WIF).
What is it about? What would be a basic example of deployment for instructional purposes only?
I think for a good viewer, it's not enough to just translate something from MSDN or Wikipedia, here .
Windows Identity Foundation (WIF) is a Microsoft software framework for creating "Identity-aware" applications. It provides APIs for building ASP.NET or WCF-based security token services, as well as tools for building applications capable of "claims-aware" recognition.
Claim-aware is a common way for applications to get information about who is logging (Identity) within the corporation, or even on the Internet. It also provides a very solid approach to running intranet or internet applications. Authentication with STS works by issuing a token by an identity-certifying agent. Read about STS here
An example of STS authentication is at this site: Nfp SP with accessing with the digital certificate option.
Now that you're already contextualized, time to put your hands in the dough.
To develop an application with STS authentication, you first need a server that is digitally signed so that it can emit your token. Then you need to add this certificate to your TrustedIssuer List (example here / a>)
After this everything is necessary to implement authentication based on Windows Federated Authentication. It is very common to use smartcards for this, just by entering your PIN number and unlocking access to the application. Oh, the Card in turn needs to be made by a reliable agency, For example, the official press.
The example I will use is using an application written in ASP.NET MVC authenticating by WIF.
public abstract class SecurityController : Controller
{
// Fields
private IdentitySection _identityConfig;
// Methods
[AcceptVerbs(HttpVerbs.Post), ValidateInput(false), AllowAnonymous]
protected ActionResult ProcessToken()
{
var wSFederationAuthenticationModule = FederatedAuthentication.WSFederationAuthenticationModule;
string str = null;
if (wSFederationAuthenticationModule.CanReadSignInResponse(System.Web.HttpContext.Current.Request, true))
{
str = System.Web.HttpContext.Current.Request.Form["wctx"];
}
return new RedirectResult(str ?? wSFederationAuthenticationModule.Reply);
}
[AllowAnonymous]
public ActionResult SignIn(string issuer)
{
var wSFederationAuthenticationModule = FederatedAuthentication.WSFederationAuthenticationModule;
string str = null;
if (!base.User.Identity.IsAuthenticated)
{
str =
new SignInRequestMessage(new Uri(string.IsNullOrEmpty(issuer) ? wSFederationAuthenticationModule.Issuer : issuer),
wSFederationAuthenticationModule.Realm, wSFederationAuthenticationModule.Reply).WriteQueryString();
}
return new RedirectResult(str ?? wSFederationAuthenticationModule.Reply);
}
public ActionResult SignOut()
{
var wSFederationAuthenticationModule = FederatedAuthentication.WSFederationAuthenticationModule;
if (base.User.Identity.IsAuthenticated)
{
wSFederationAuthenticationModule.SignOut(false);
}
return new RedirectResult(wSFederationAuthenticationModule.Reply);
}
// Properties
protected IdentitySection IdentityConfig
{
get
{
return (this._identityConfig ?? (this._identityConfig = (IdentitySection)ConfigurationManager.GetSection("federatedMvc.identity")));
}
}
}
federatedMvc.identity é uma seção do seu Web.Config que conterá suas chaves de segurança para o seu servidor STS.
For example:
<federatedMvc.identity securityController="Seguranca">
<authenticationUris>
<add type="Certificate" uri="https://CapsuleCorp/Identity.STS.Certificado/Login.aspx" />
</authenticationUris>
</federatedMvc.identity>
Then you need to add the <microsoft.identityModel> section to your web.config as well.
and then point the required items according to the example:
<service>
<audienceUris>
<add value="http://CapsuleCorp.com/FindDragonBalls" />
</audienceUris>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="false" persistentCookiesOnPassiveRedirects="false"
issuer="https://CapsuleCorp.com/Identity.STS.Certificado/Login.aspx"
realm="http://CapsuleCorp.com/realm" reply="http://CapsuleCorp.com/home" requireHttps="false" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
<certificateValidation certificateValidationMode="None" revocationMode="NoCheck" />
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add name="CN=CapsuleCert" thumbprint="89cf12ef1f36a9bacaa4e813a44bb699bb46c359" />
</trustedIssuers>
</issuerNameRegistry>
</service>
After this you can consult all the claims returned by the claim service, deny access or redirect somewhere, then the sky will be the limit. And with that, based on each claim, you can direct your efforts, any questions do not hesitate to ask.
WIF is an authorization template based on claims (affirmations) and not only on roles (roles) as is usually done.
With claims a user will have more information about him, for example, age 18 and favorite food is pizza, so in your app you can create creative rules about claims . For example, a certain feature will only be available to users who are 18 years of age or older and who enjoy pizza.
This is a very simplified example, but to dig deeper into the subject I suggest reading the Israel Aece blog (link below) which has several Portuguese posts on the subject WIF and claims .
Complementing, with a more usual example, imagine several characteristics about a person in the work environment, for example, branch that works, cost center, department, etc. All this can be affirmations, for example, Joaozinho works in the IT department in the São Paulo branch and has 10 years of company. Well, the HR system can now create certain creative rules (policies) to allow or not access certain system processes, for example, request a bonus for time of service. In this case you could have a policy that only allows this request for people over X years old and from a particular branch. Without being claims it would be difficult to represent in the form of roles, but to create a mechanism for it.