Asp.net MVC - Map Claim identity to custom user identity

I'm trying to figure where is the best extension point in the ASP.NET MVC3 infrastructure to map custom user informations (loaded from local database) after received the Claim Authentication from Azure AccessControl Service 2.0

I tried to achieved this by overriding the Authenticate method of Microsoft.IdentityModel.Claims.ClaimsAuthenticationManager class :

public class ClaimsTransformationModule : ClaimsAuthenticationManager
{
    public override IClaimsPrincipal Authenticate(string resourceName, IClaimsPrincipal incomingPrincipal)
    {
        // Load User from database and map it to HttpContext
        // Code here

        return base.Authenticate(resourceName, incomingPrincipal);
    }
}

However, it seems that this method is called more than once during the page loading request. Loading custom user informations here could produce a performance issue. I would like to load them only once per authenticated session.

Is there a better place to开发者_运维百科 do that ? Perhaps somewhere at a lower level where the IClaimsPrincipal is constructed ?

You just need to do an isAuthenticated check:

if (incomingPrincipal.Identity.IsAuthenticated)
{
   // Load User from database and map it to HttpContext
   // Code here
}

This will only run once after the user is first authenticated.

This is only running once when the user is logging in.

public class MvcApplication : System.Web.HttpApplication
    {
        protected void Application_Start()
        {
            AreaRegistration.RegisterAllAreas();

            WebApiConfig.Register(GlobalConfiguration.Configuration);
            FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
            RouteConfig.RegisterRoutes(RouteTable.Routes);
            BundleConfig.RegisterBundles(BundleTable.Bundles);
            AuthConfig.RegisterAuth();
            FederatedAuthentication.WSFederationAuthenticationModule.SecurityTokenValidated += WSFederationAuthenticationModule_SecurityTokenValidated;
        }

        void WSFederationAuthenticationModule_SecurityTokenValidated(object sender, SecurityTokenValidatedEventArgs e)
        {
            IClaimsPrincipal principal = e.ClaimsPrincipal;
            IClaimsIdentity identity = (IClaimsIdentity)principal.Identity;

            try
            {
                //SQL connection / Claims injeciotn
                if (principal.Identity.IsAuthenticated)
                {
                   // identity.Claims.Add(new Claim(ClaimTypes.Role, "WebAdmins"));
                }

            }
            catch
            {
                //Error
            }
        }
    }

Any user information which is not coming from the STS is satellite data about the user. So it would be best to represent this with Asp .Net ProfileProvider infrastructure.

Update:

Another thing which you can do is implemeting a simple Custom STS which will add your custom claims coming from your DB, into the incoming claims. Your Custom STS will trust ACS and will take SAML tokens, and it will be trusted by your web applition.

Another thing, which I haven't tried, would be attempting to tamper with the claims coming from STS. One thing which you can give a try is registering to the SecurityTokenValidated event of the WSFederationAuthenticationModule. In this event you can try to add your additional claims into ClaimsPrincipal of the event arg.

This event should be raised before the session token is created, so you sould be looking up db once per login.

cheers,