Single Sign on With WIF
I have successfully integrated SSO with WIF on my two Web Domain. Now I have a requirement that some users sign on using SSO and other users do not use SSO. How I can achieve this thing?
I would开发者_运维技巧 appreciate your help,
Thanks
Shahram Javed
Your question is a little vague so maybe this is not the correct answer. Let me relate our story (which Eugenio helped with) with the hopes it helps the OP or someone else. I'm interpreting "not for other user" as that some users do not use SSO: presumably they use forms authentication or something different.
We use WIF for SSO in a web application that also supports a wif-implemented version of forms authentication.
If someone comes to the Sign In page and provides a user name and password, we use WIF to set a self-issued ClaimsPrincipal. Essentially, the website is providing claims to itself. FederatedAuthentication is used in the same way that FormsAuthentication normally is: set a cookie using a static method on FederatedAuthentication. Bit different, but basically the same principal.
var token = FederatedAuthentication.SessionAuthenticationModule
.CreateSessionSecurityToken(claimsPrincipal, "MyApp.Token",
DateTime.UtcNow, DateTime.UtcNow.AddDays(7), false);
FederatedAuthentication.SessionAuthenticationModule
.AuthenticateSessionSecurityToken(token, true);
Our web app uses a single trusted provider (an ADFS server that negotiates with N federated partners). We need a custom way to decide whether to to redirect unauthenticated users to the Sign In page or to ADFS for SSO users. We disable passive redirect so WIF doesn't automatically send people to ADFS.
<wsFederation passiveRedirectEnabled="false"
issuer="https://adfs.ourplace.com/adfs/ls/"
realm="http://www.ourplace.com" .../>
From here we use an authentication attribute (we use ASP.NET MVC but whatever is appropriate for you).
public class MyAuthorizeAttribute : FilterAttribute, IAuthorizationFilter
{
public void OnAuthorization(AuthorizationContext filterContext)
{
if (filterContext.HttpContext.User.Identity.IsAuthenticated)
return; // all good
RedirectTo(IsSSO() ? GetADFSUrl() : GetSignInUrl();
}
}
To decide whether the user is an SSO user or not when they are unauthenticated is the Home Realm Discovery problem. Different people solve it differently. For us, when an SSO user first connects to the system using SSO we lay down a persistent cookie with their home realm (which is the Claims Provider Identifier in ADFS). If the cookie is absent, they go to Sign In. If the cookie is present, they get redirected to ADFS. The URL is:
var adfsEntryPoint = FederatedAuthentication.WSFederationAuthenticationModule.Issuer;
var wtRealm = FederatedAuthentication.WSFederationAuthenticationModule.Realm;
var whr = <from home realm cookie>
var redirectUrl = string.Format("{0}?wa=wsignin1.0&wtrealm={1}&whr={2}",
adfsEntryPoint,
HttpContext.Server.UrlEncode(wtRealm),
HttpContext.Server.UrlEncode(whr));
If you redirect directly to N federated partners, maybe store the token renewal URL in the cookie.
精彩评论