External authentication with Claims and WS-Federation in MVC4 .NET4.5 Part 5: configuring multiple identity providers for federated log-in

Normally a web application is configured to use a single STS for authentication. Using the Identity and Access Tool also pushes you into that direction; there’s no option to set up 2 or more different federated STSs.

However, there may be cases where you would like to allow external users to access your application. Who are these external users? A typical example is the users of a business partner; those users will use a different STS to access their own web app. What if you wish to give those users access to your web app without them having to sign up with your app first? After all you don’t want to manage those accounts, right? They are not really your users, you don’t want to be responsible for their sensitive data in your database.

You could instead somehow configure your application to accept tokens from 2 STSs: your own and that of the partner company. You can designate the STS of the partner as a trusted identity provider. If the external user can come with a token from that other trusted STS then they will be allowed to view your application.

The recommended way to implement this is to follow a pattern called ‘Resource-STS’ or ‘Federation Gateway’.

The idea of this pattern is the following:

• Your application should only trust one single token service. Always.
• This “master” STS is called the Resource-STS
• The Resource-STS can be configured to broker trust with other token services
• The external users contact your STS and carry with them the token from their STS
• Your STS will understand the external token because the Issuer figures on its trusted issuers’ list
• Your STS will issue a new token that your application trusts and understands

This method simplifies the configuration of your web application because it still only needs to be concerned with your single trusted STS. The external relying parties will not need any reconfiguration either. The only application that will need to be adjusted is your STS because it must understand tokens that do not originate from your application.

The trust relationships are set up as follows:

• Your web app trusts your STS
• Your STS trusts the STS of the business partner
• The application of the business partner trusts the external STS

So indirectly your web app will trust the external users.

The logical steps to log on to your web application “from the outside” will look like this:

1. An external user logs in to their own STS which lies within their domain
2. The external STS will issue a security token to that external user
3. The external token will be sent to your STS
4. Your STS will validate the external token
5. If necessary your STS will even transform the external claims into claims that your application needs
6. The external user will be given a new token by your STS, a token which comes from your side of the authentication chain: it is signed by your STS
7. In the last step the external user sends the transformed token to your we app
8. From here onwards we have “business as usual”: the claim is inspected, transformed, saved in the auth session etc.

However, there seems to be something missing. The external user will need to navigate to your application first, right? They do not contact the STS login page first and somehow try to modify the URL, that would be impractical. It is your application that should redirect the user to your STS. The additional difficulty is the following: how does your application know where the visiting user is coming from? Which STS should it redirect the user to? The complexity increases if there are more than one external STSs. Even if we establish that the user is an “external” one, then which external STS is theirs?

The process of finding out who is trying to log in and where to redirect this user is called Home Realm Discovery. There’s of course no magic way to answer all those questions in the previous paragraph, we simply need to ask the visitor. Are you a partner? Which partner? Are you an “internal” user? There will be a special GUI within your application to ask these questions and redirect the user to the correct STS.

This GUI may actually not be necessary. There is another way to discover where the external user is coming from. If you have 5 partners then you will probably have links on their web sites that lead to your web application. You can build special landing pages for each of those partners. You can then see based on the opening URL where the user is coming from. Once you know that then you can add a special flag to the STS Url. The flag takes the form of ‘&whr=[id_of_external_identityprovider]’ where ‘hr’ means home realm. The URL may look like the following:

https://idsrv/issue/hrd/?wa=wsignin1.0&wtrealm=https://www.myapplication.com&whr=%5Bid_of_external_identityprovider%5D

Demo

A pre-warning: this demo is far from complete as I don’t have access to a second STS.

Navigate to the Thinktecture Identity Server we installed before and log into the identity provider. Select the [administration] link and then choose the Identity Providers menu item:

Click “New” and you will be presented with the necessary fields to enter a trusted federation endpoint:

This is where you can add the details of an external STS. I don’t have any such STS unfortunately but the textboxes are pretty self-explanatory. Typical values might look like this:

The thumbprint is the certificate signature of the external STS which helps us decide whether the token is coming from a trusted source. The WS-Federation endpoint is the value of the login page of the external STS, like https://localhost/idsrv/issue/wsfed in the case of the demo project.

As we want to run the auth process through Home Realm Discovery we have to update the issuer from ‘wsfed’ to ‘hrd’:

<system.identityModel.services>
    <federationConfiguration>
      <cookieHandler requireSsl="false" />
      <wsFederation passiveRedirectEnabled="true" issuer="https://andras1/idsrv/issue/hrd" 
                    realm="http://localhost:2533/" requireHttps="false" />
    </federationConfiguration>
  </system.identityModel.services>

Other commercially available STSs will also have similar URLs for home realm discovery. As we don’t have any other STSs there’s no point in testing the application really. However, using the hrd link we would land on an interim page where the user can select among the available STSs and pick the one that’s relevant to them. They will then be redirected to the login page of their STS. After a successful login the user will see the protected page of your web application.

In case you would like to go directly to an external STS after identifying where the external user is coming from you have two choices:

Add the homeRealm attribute to the web.config:

<wsFederation passiveRedirectEnabled="true" issuer="https://andras1/idsrv/issue/hrd" 
                    realm="http://localhost:2533/" requireHttps="false" homeRealm="BusinessPartner" />

The homeRealm value will be the ‘Identifier’ field in the Identity Providers setup window we saw above. It adds the ‘&whr=BusinessPartner’ parameter to the STS query string. It tells our STS to go directly to the external STS called ‘BusinessPartner’ and do not show the interim page where the user can pick one of the available trusted STSs.

This is of course a very static way of specifying an external STS. Fortunately we can assign this value dynamically as well. You’ll need to override the following method in Global.asax:

public void WSFederationAuthenticationModule_RedirectingToIdentityProvider(object sender, RedirectingToIdentityProviderEventArgs e)
        {

        }

You can set the Home Realm parameter using the RedirectingToIdentityProviderEventArgs parameter as follows:

SignInRequestMessage signInRequestMessage = e.SignInRequestMessage;
            signInRequestMessage.HomeRealm = "BusinessPartner";

You obviously need to somehow decide beforehand where the user is coming from. If you use different landing pages for each partner, such as:

• partnerone.mycompany.com
• partnertwo.mycompany.com

…or

• http://www.mycompany.com?partner=partnerone
• http://www.mycompany.com?partner=partnertwo

…then this should be a straighforward task.

This finishes the entire series of posts dedicated to Claims in .NET4.5. I hope it is enough to get you started with your own Claims-aware web or desktop projects. Happy programming!

The next post will be the starting point for an entirely different topic: Test Driven Development in .NET.

You can view the list of posts on Security and Cryptography here.

External authentication with Claims and WS-Federation in MVC4 .NET4.5 Part 4: Single SignOut and Single SignOn

In the previous post we left off with the shortcomings of the Logout function: we log out of the web application but the session is still alive on the STS. Would like to end all our sessions when we press Logoff on the main screen. Similarly if there are multiple web sites that share the same STS then we would prefer to log in once on the STS login page and then be able to use all those applications.

These techniques are called Single SignOn and Single SignOut.

We will build on the MVC4 application we have been working on in this series of blog posts.

Single SignOn

Single SignOn is really nothing else but an application of the widely used “Remember Me” function. Say you have two web applications, SiteA and SiteB that share the same STS. You start the day by logging in to SiteA and do some work there. You’ll of course use the STS login page. The STS will establish a login session with the client. The browser will send the FedAuth cookie with all subsequent requests.

Then at some point you need to use SiteB. SiteB also needs authentication and redirects the user to the same STS. However, the STS will recognise the user’s FedAuth cookie and will issue another token for SiteB without having to log in again.

Therefore we get Single SignOn accross all applications that use the same STS.

Single SignOut

This requires some more steps. It is necessary to clean the local session cookie but it’s not enough. We need to inform the STS that we want to sign out, so please dear STS, end the auth session at your side too. The STS will need to clear its own session cookie so that the Single SignOn session is terminated. Optionally it can also tell the other relying parties that the user wants to sign out, but this is not mandatory. If you only clear the local session cookie of SiteA and the session at the STS, then when you go over to SiteB the STS will not recognise you any more as you killed the auth session. So you will need to sign in again.

If you want to end the auth sessions in all relying parties you have accessed before you click the Logoff button then the STS will need to keep track of all apps you have used since your first log in. Then when you log out of SiteA then the STS will ‘contact’ SiteB to end the auth session there too.

You’ll recall from our discussion of the URL format for logging that it had the section ‘?wa=wsignin1.0’. There is a similar URL format for signing out: ‘?wa=wsignout1.0’. The client will send a GET request to the STS with this URL. The STS in turn will look up in its records which relying parties the user has logged in to since they first logged on. The STS will respond the client with a HTML that may look like this:

<p>
    <img src="https://relyingparty1/?wa=wsignoutcleanup1.0" />
</p>
<p>
    <img src="https://relyingparty2/?wa=wsignoutcleanup1.0" />
</p>

And possibly many possible solutions exist as to how to send the signoutcleanup message, the above HTML is not unique at all.

The main bit is the signoutcleanup message: http://relyingparty1/?wa=wsignoutcleanup1.0

The client browser will contact all the relying parties in the message and send them a signoutcleanup message.

To recap:

1. The client clear his/her local auth cookie
2. The client contacts the STS
3. The STS clears its own session cookie
4. STSs replies with a page similar to the above markup
5. The client uses that message to inform the other relying parties about the logoff event
6. The relying parties clear their own auth cookies

Demo

Open the MVC4 appluication we’ve been working on in this series. Run the application and press F12 to open the Developer Tools just as we did before in the Claims series. Select Start capturing on the Network tab. On the home page of the MVC4 application select the About link to trigger a sign in. This time check the Remember Me checkbox:

The STS will set two cookies: idsrvauth and wsfedsignout:

The idsrvauth cookie is the logon session with the STS itself. The wsfedsignout cookie is a tool for the STS to keep track of the relying parties the user has logged into.

The STS will issue a cookie to establish a logon session with the client. You can see the FedAuth cookie issued by the STS in Developer Tools:

Close the browser running the MVC4 app on localhost and re-run the application. We do this in order to simulate two things:

• The user wants to re-enter the same web app after closing it first
• The user is trying to enter another relying party which uses the same STS for authentication

Click the About link to trigger the authentication. You should see the following:

• You are redirected to the STS login page
• The login page never actually loads
• You are redirected to the About page automatically

This is the effect of the Remember Me checkbox. The STS recognises the previously established logon session with the user and does not require the login name and password again. The STS simply issues a new auth token.

This is the essence of Single SignOn and this is the solution for multiple relying parties on different web servers.

We now have to implement Single SignOut. Locate the LogOff action within AccountController.cs. Currently it may look similar to the following:

[HttpPost]
        [ValidateAntiForgeryToken]
        public ActionResult LogOff()
        {
            FederatedAuthentication.WSFederationAuthenticationModule.SignOut();
            return RedirectToAction("Index", "Home");
        }

This will only end the auth session in the MVC4 web app but not at the STS. Test it for yourself: run the application, click on ‘About’ and after logging in click the Log off link in the top right hand corner. You have successfully logged out of the MVC4 app. However, click About again. You will be redirected to the MVC4 without having to log in. This may be a good thing in some cases, but a Log off should mean LOG OFF, right?

Let’s update the LogOff action as follows:

[HttpPost]
        [ValidateAntiForgeryToken]
        public ActionResult LogOff()
        {
            WSFederationAuthenticationModule authModule = FederatedAuthentication.WSFederationAuthenticationModule;

            //clear local cookie
            authModule.SignOut(false);

            //initiate federated sign out request to the STS
            SignOutRequestMessage signOutRequestMessage = new SignOutRequestMessage(new Uri(authModule.Issuer), authModule.Realm);
            String queryString = signOutRequestMessage.WriteQueryString();
            return new RedirectResult(queryString);
        }

We first get a reference to the WS Federation authentication module. Then we clear the local cookie using the SignOut method. Then we construct a signout request message. The constructor requires the Issuer Uri and the Realm which will be read from the web.config. The WriteQueryString() method will form a valid ‘wsignout’ URL which will be understood by the STS. It will ‘know’ that the user wants to log out. You can set a breakpoint at ‘String queryString = signOutRequestMessage.WriteQueryString();’ to see what the signout request looks like.

Run the application and click the About link as usual. Click the Log off link and code execution should stop at the breakpoint within the LogOff action. You can now inspect the queryString variable and see what a signout URI looks like. We are redirected to the STS and we’re greeted with the following message:

The signout URI will look similar to the following:

https://andras1/idsrv/issue/wsfed?wa=wsignout1.0&wreply=http%3a%2f%2flocalhost%3a2533%2f

You’ll see the ‘wsignout’ command and the ‘wreply’ which provides a way to return to the calling application.

Inspect the HTML source of the SignOut page of the STS. You’ll find the wssignoutcleanup command embedded in an iframe:

Click ‘Return to the application” and the select the About link. You will see that you have to provide your username and password again on the STS homepage meaning that we successfully killed off the auth session at the STS as well. The session was ended at all relying parties in the STS records as well.

This finishes up this blog post. The next one which will be the last post in this series about Claims in .NET4.5 will discuss the following more advanced topics:

• Home realm discovery
• Federated Sign-In
• Resource STS and Federation Gateway

You can view the list of posts on Security and Cryptography here.

Claims-based authentication in .NET4.5 MVC4 with C#: External authentication with WS-Federation Part 3 Various advanced topics

In the previous post we looked at some basic features of WS-Federation in a .NET4.5 MVC4 web app. In this post we’ll dive into some advanced features around WS-Federation.

Topics we’ll discuss include:

• Dynamic WS-Federation configuration at runtime
• WS-Federation authentication events
• Logging off

The features will be presented in a demo at the end as usual.

Dynamic configuration

We saw in Part 2 how WS-Federation can be configured in web.config. Those settings are of course static. However, occasionally you may need to set some properties dynamically. You might have these values stored in a database or you need to query a web service for the right configuration.

You can achieve this using Global.asax in the Application_Start() method. First wire up the FederationConfigurationCreated event as follows:

FederatedAuthentication.FederationConfigurationCreated += FederatedAuthentication_FederationConfigurationCreated;

…where FederatedAuthentication_FederationConfigurationCreated will initially look like the following:

void FederatedAuthentication_FederationConfigurationCreated(object sender, FederationConfigurationCreatedEventArgs e)
        {
            throw new NotImplementedException();
        }

The incoming FederationConfigurationCreatedEventArgs has a property called FederationConfiguration. This property in turn has other properties, such as Name, ServiceCertificate, IdentityConfiguration, etc. that allow you to dynamically set the WS-Federation properties at runtime. Thus you get programmatic access to all WS-related configuration elements in web.config. Feel free to inspect what’s available using IntelliSense.

WS-Federation authentication events

The WSFederationAuthenticationModule, which is available as a property of FederationAuthentication has events similar to those of the SessionAuthenticationModule which we discussed before.

Type FederatedAuthentication.WSFederationAuthenticationModule. in the editor and inspect the available events using IntelliSense. The names of the events are pretty self-explanatory. We will look at the event called RedirectingToIdentityProvider in the demo. This event is fired when the HTTP request is redirected to the STS. Here you have the chance to modify the data that’s sent to the STS at runtime. You would hook up the event in Global.asax in the Application_Start() method:

FederatedAuthentication.WSFederationAuthenticationModule.RedirectingToIdentityProvider += WSFederationAuthenticationModule_RedirectingToIdentityProvider;

…which looks initially like this:

void WSFederationAuthenticationModule_RedirectingToIdentityProvider(object sender, RedirectingToIdentityProviderEventArgs e)
        {
            throw new NotImplementedException();
        }

The RedirectingToIdentityProviderEventArgs parameter has a property called SignInRequestMessage which allows you to modify the outgoing message properties, such as Realm, BaseUri etc. You can create a new SignInRequestMessage as follows:

SignInRequestMessage signInRequestMessage = new SignInRequestMessage(new Uri("https://stsuri"), "the realm identifier");
String completeQueryString = signInRequestMessage.WriteQueryString();

You can then send the query string to the STS. This is the technique to be used with the Login link on your web page. As the web app does not have its own Login page any more the Login link needs to lead to the external STS using the query string constructed from the SignInRequestMessage object. We’ll see in the demo how this works.

Logging off

Locate the LogOff action in AccountController.cs. If you followed the posts in the series then you may have the following calls in there at present:

WebSecurity.Logout();
FederatedAuthentication.SessionAuthenticationModule.SignOut();

You can delete them and add the following call instead:

FederatedAuthentication.WSFederationAuthenticationModule.SignOut();

This will clear out the FedAuth session cookie. However, this will not sign you out of the STS. There’s a technique called Single SignOut which will do that for you. We won’t look at that in this blog post but in the next one.

Sliding expiration

Sliding session token expiration was explained here. You use the same techniques in the case of WS-Federation.

Server-side security token caching

This is very similar to FederatedAuthentication.SessionAuthenticationModule.SessionSecurityTokenReceived we saw here:

FederatedAuthentication.WSFederationAuthenticationModule.SessionSecurityTokenCreated += WSFederationAuthenticationModule_SessionSecurityTokenCreated;

In WSFederationAuthenticationModule_SessionSecurityTokenCreated you would then set the reference mode to true:

e.SessionToken.IsReferenceMode = true;

The effect is the same as before: not the entire Claims collection is serialised into FedAuth but only an identifier and the server will locate the serialised Claims collection using that token identifier.

Demo

Open the MVC4 internet application we’ve been working on in this series. Let’s see how dynamic configuration works first. Go to Global.asax and locate the Application_Start() method. Wire up the RedirectingToIdentityProvider event as follows:

FederatedAuthentication.WSFederationAuthenticationModule.RedirectingToIdentityProvider += WSFederationAuthenticationModule_RedirectingToIdentityProvider;

The skeleton of WSFederationAuthenticationModule_RedirectingToIdentityProvider will look like this:

void WSFederationAuthenticationModule_RedirectingToIdentityProvider(object sender, RedirectingToIdentityProviderEventArgs e)
        {
            SignInRequestMessage signInRequestMessage = e.SignInRequestMessage;
        }

Set a breakpoint at ‘SignInRequestMessage signInRequestMessage = e.SignInRequestMessage’ and run the application. Click the About link and you’ll see that code execution stopped at the break point. Inspect the SignInRequestMessage property in the Locals window and you’ll see it holds the values of the Request Url and the Realm:

Here we have the chance to dynamically set these properties based on a DB lookup or a web service call or a similar mechanism.

The SignInRequestMessage object can be used to redirect the user to the external Login page if the user clicks the Login link on the main screen. In a traditional forms-based app the user would then see the internal Login page but that is not an option any more.

Locate the Index action within HomeController.cs. There are two ways to construct the SignIn message. One is using a constructor:

SignInRequestMessage signInRequestMessage = new SignInRequestMessage(new Uri("https://andras1/idsrv/issue/wsfed"), "http://localhost:2533/");

You pass in the STS login URI and the realm. I simply copied the values from web.config.

Another way to set these properties is the following:

FederatedAuthentication.FederationConfiguration.WsFederationConfiguration.Realm = "http://localhost:2533/";
            FederatedAuthentication.FederationConfiguration.WsFederationConfiguration.Issuer = "https://andras1/idsrv/issue/wsfed";

We’ll go with the constructor type of solution. Add the following just before the return statement in the Index action:

SignInRequestMessage signInRequestMessage = new SignInRequestMessage(new Uri("https://andras1/idsrv/issue/wsfed"), "http://localhost:2533/");
            ViewBag.StsSignInUrl = signInRequestMessage.WriteQueryString();

For simplicity we add the query string to the ViewBag. Ideally it would be part of a ViewModel, but that’s beside the point in this discussion. Open Index.cshtml in the Views/Home folder. Add the following markup somewhere in the View:

            <p>
                <a href="@ViewBag.StsSignInUrl">Log in here!</a>
            </p>

Run the application now and click the generated Login link on the home page. If you set up the STS login URL correctly then you’ll be redirected to the STS where you can sign in. Upon successful login you’ll be redirected to the MVC4 web app with Hello, [username] in the top right hand corner meaning that you successfully logged in to you site.

We modified the LogOut action before to make sure that the FedAuth cookie is removed. Press the ‘Log off’ link and you should then be logged out of the web site. Great! However, keep in mind what we said about the logoff method before: the session ended as far as the MVC application is concerned but is still alive on the STS side. Press the About link again and you should be automatically logged in without having to provide the username and password.

You can end the STS session by a technique called Single SignOut which is one of the things we’ll look at in the next blog post among other features such as Single SignOn.

You can view the list of posts on Security and Cryptography here.

Claims-based authentication in .NET4.5 MVC4 with C#: External authentication with WS-Federation Part 2 Testing a real STS

In this post we’ll go into more details of WS-Federation in .NET4.5 using the MVC4 internet project we produced in the previous post. More specifically we’ll look at the changes that the Identity and Access Tool made to our project when we introduced the local STS.

We’ll introduce the following topics:

• External login specification
• Setting up trust
• Certificate validation
• Token validation
• Federation metadata

In the demo we’ll continue with the MVC4 application we started in the earlier posts. We’ll also test a real STS instead of the built-in local one.

External login

In a traditional .NET forms-based web app you would specify the login page as follows:

<authentication mode="Forms">
      <forms loginUrl="~/Account/Login" timeout="2880" />
    </authentication>

This login page is then an internal page of the web application.

A web app that is fully claims-based will be void of any internal Login page as we saw in the previous post. Instead we’ll specify an external Login like this:

<system.identityModel.services>
    <federationConfiguration>
     
      <wsFederation passiveRedirectEnabled="true" 
                    issuer="http://localhost:12808/wsFederationSTS/Issue" 
                    realm="http://localhost:2532/" requireHttps="false" />
    </federationConfiguration>
  </system.identityModel.services>

This was added by the Identity and Access Tool to web.config. Issuer is the URL of the login service. As you see it is an external URL as opposed to the relative one of the forms-auth solution. The realm is the identifier of your application, usually its URL. It is used by the STS to know who the token is meant for so that it can build application specific security tokens.

Setting up trust

Another important section added by the Identity and Access Tool sets up the trust between the web app and the local STS:

<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry,    System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
	<authority name="LocalSTS">
		<keys>
			<add thumbprint="9B74CB2F320F7AAFC156E1252270B1DC01EF40D0" />
		</keys>
		<validIssuers>
			<add name="LocalSTS" />
		</validIssuers>
	</authority>
</issuerNameRegistry>

This is located within the system.identityModel element. The issuerNameRegistry specifies the details of the trust relationship between the web app and the STS. You can specify a type, which will be a class that allows to set up the trust through configuration. There’s a built-in implementation called ValidatingIssuerNameRegistry which works just fine. You can provide your own solution by deriving from that class if you want to describe the trust relationship in another way, e.g. through a database.

The above configuration is telling us the following: we have one valid, i.e. trusted issuer whose X509 signature -i.e. thumbprint – is 9B74CB2F320F7AAFC156E1252270B1DC01EF40D0 and bears the name ‘LocalSTS’. Our application will accept claims from this issuer. .NET will automatically look at the thumbprint of the issuer in the token and check the value(s) against the one in web.config. If the token was signed by a different X509 certificate then the token will be rejected. If the values match then the ‘Issuer’ property of the token will be assigned the symbolic name of ‘LocalSTS’. The ‘Isser’ property of each claim will receive this value as well.

Certificate validation

There’s an optional step after the token has been accepted by the web app, i.e. after the token has passed the first level of scrutiny which is checking the thumbprint.

Normally that initial check is enough for us to say that the token is real. The keys element contains very strong statements about which certificates are the trusted ones. In addition, however, we can perform an additional check on the certificate itself as follows:

<certificateValidation certificateValidationMode="ChainTrust" revocationMode="Online" />  

This will check if your certificate store includes a certificate with the same thumbprint and that it has not been revoked in the meantime. ChainTrust means that .NET will check if the specified issuer, i.e. LocalSTS is available in your trusted CA folder in your certificate store. revocationMode Online means that we want to go the CRL – Certificate Revocation List – endpoint of the CA to see if the certificate has been revoked.

This extra validation step is often not needed as stated above. It adds extra complexity to your application: the same X509 certificate that was used to sign the token must be installed on the application server and the web server must have access to the CRL endpoint. If you are satisfied with the list of thumbprints and do not want to carry out any additional checks then you can set this type of validation to none as follows:

<certificateValidation certificateValidationMode="None" />  

This is inserted by the Identity and Access Tool by default within the identityConfiguration node.

Token validation

Token validation is different from certificate validation. When validating a token we want to make sure that it is really meant for our application. This is expressed by the following element added by the Identity and Access Tool to the web.config file:

      <audienceUris>
        <add value="http://localhost:2532/" />
      </audienceUris>

Imagine that there are two applications that trust the same STS and that a token meant for myniceapplication is redirected to myotherniceapplication. As they both trust the same certificate then myotherniceapplication will also accept the token meant for myniceapplication. This can lead to subtle security holes that can be difficult to discover.

The STS will embed the name of the realm in the token. Recall that the realm is also specified as the unique ID in the query string sent to the STS login page. The same value will be put back inside the token. The above audienceUri setting will check if the URI value, i.e. http://localhost:2532 is the same as the one embedded in the token. This will make sure that the token was really meant for our own web application.

Federation metadata

Federation metadata is an XML document that describes the STS: WS-Federation endpoint, which certificate is used to sign the token etc. Most STSs support this document format. The Identity and Access Tool specifies this document in the web.config as follows:

<add key="ida:FederationMetadataLocation" value="http://localhost:13866/wsFederationSTS/FederationMetadata/2007-06/FederationMetadata.xml" />

We will look at this document in more detail in the demo.

Demo

Now we’ll see how to set up and use a real STS.

For the demo we’ll use an STS built by Thinktecture. The Thinktecture IdentityServer was created using .NET4.5, it is open source and can be used as a starting point of a custom-made STS in your own project. Navigate to the following link:

Thinktecture IdentityServer 2.1

Download the zip file containing the source code from the ‘Download’ link. Make sure you select version 2.1. That is the most recent version available as of May 16 2013. The STS will need to be installed on your machine. There’s an easy step-by-step video guide available for version 2.0 under the ‘Documentation’ link. The video guide is available here. There are very little visual changes from v2.0 to 2.1 so you should be able to set up the system based on that guide. I will not recount what’s said there. So, follow the steps and come back here when you’re done. Make sure you follow each step carefully and that you’ll have 2 users ready: one admin and one ‘normal’ user who corresponds to the user we created before on the Register page of our MVC4 web app. I created a user with the same user name as the one I created on the Register page as my custom claims auth – CustomAuthorisationManager.cs – and claims transformation – CustomClaimsTransformer.cs – logic is based on that. If this is the case in your implementation then make sure that the username of the STS user matches the one you’ve been working with so far.

When you’re done your local Thinktecture STS page should look as follows when logging in as an admin:

Select the ‘home’ link and click on ‘View WS-Federation Metadata’:

You will be presented with the Federation Metadata which describes the STS. This is the document we referred to under the ‘Federation metadata’ section above. Some interesting bits and pieces:

You will find the URL of the STS sign-in page under the PassiveRequestorEndpoint element:

Locate the KeyInfo element where you will see the certificate which will sign the outgoing token:

The Identity and Access Tool will use this metadata document to set up our configuration. Take a note of the URL of this XML page, we’ll need it soon. It should look similar to the following:

https://your_local_server_name/idsrv/FederationMetadata/2007-06/FederationMetadata.xml

Before we go on let’s give a meaningful name to the Thinktecture issuer:

By default the Site ID value is some URL ending with “changethis”. Give it some meaningful name instead, I chose ThinkTectureSTS, but it’s your choice. The Site Id will be reflected in the federation metadata:

Open our MVC4 internet application in Visual Studio 2012. Right click the web project name and select ‘Identity and Access…’ from the context menu. In the previous blog post we tested the first option in the Identity and Access window, i.e. the ‘Use the Local Development STS to test your application’ one. This time select the second option, i.e. ‘Use a business identity provider’.

You’ll need to specify the path to the STS metadata document. Paste in the link to FederationMetadata.xml as noted above:

You can also specify the realm, i.e. the ID of your web application in the same window. This can be the localhost URL as given in the wizard or some symbolic name, like DonaldDuck. Normally it is the URL of the web page, so we’ll leave it as it is for the time being.

Press OK and see what happens. The web.config file has been modified to accommodate the new STS. Things to note:

The Federation Metadata XML file has been inserted in the appsettings section:

<add key="ida:FederationMetadataLocation" value="https://localhost/IdentityServer/FederationMetadata/2007-06/FederationMetadata.xml" />

We inserted the system.identityModel and system.identityModel.services config sections in previous posts. However, the wizard would have inserted them for us if they had not been there already.

Our trusted issuers list has been modified to include the new local certificate instead of the default LocalSTS:

<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
        <authority name="ThinkTectureSTS">
          <keys>
            <add thumbprint="79EE2CF0CA42818DDBECA1A191480DFFEDBCF4AB" />
          </keys>
          <validIssuers>
            <add name="ThinkTectureSTS" />
          </validIssuers>
        </authority>
      </issuerNameRegistry>

The name of the Thinktecture STS is the default one which is provided during the STS installation process. You’ll notice that the name of the issuer is the same as the Site ID we chose when we set up the STS. It is important that the two values are the same, otherwise you will get a strange WIF exception: WIF10201: No valid key mapping found for securityToken: ‘System.IdentityModel.Tokens.X509SecurityToken’ and issuer: ‘http://identityserver.v2.thinktecture.com/trust/changethis’.

The issuer URI has also been modified accordingly:

   <system.identityModel.services>
    <federationConfiguration>
      <cookieHandler requireSsl="false" />
      <wsFederation passiveRedirectEnabled="true" 
		issuer="https://localhost/IdentityServer/issue/wsfed" realm="http://localhost:2532/" requireHttps="false" />
    </federationConfiguration>
  </system.identityModel.services>

You’ll notice that the attributes ‘requireSsl’ and ‘requireHttps’ in the above XML are set to false. This is acceptable for testing purposes but you should make sure to set have SSL ready for the production environment. ‘passiveRedirectEnabled=true’ means that upon a 401 response the user is redirected to the login page of the STS, i.e. at https://localhost/IdentityServer/issue/wsfed in this example. The realm http://localhost:2532 will be attached to the query string as the ID of our web site.

The audience URI is the URI of our test web site:

<audienceUris>
    <add value="http://localhost:2532/" />
</audienceUris>

This value is typically the same as the realm under the federationConfiguration element.

As we saw in the previous post the wizard will make sure that all visiting users must be authenticated:

<authorization>
      <deny users="?" />
    </authorization>

The effect is that as soon as a user tries to view your site they will be redirected to the STS. Let’s remove this element to allow anonymous users as well. Run the application now. You may be presented with an exception saying that the element ‘certificateValidation’ occurs more than once. We added this element in the previous post and the wizard was not smart enough to detect it in web.config. If you get this exception then remove one of the elements and re-run the application.

If you remember then we made our About page protected. Click that link and… …you should be redirected to the Thinktecture login page. The URL will conform to the format we discussed before and will look similar to the following:

https://andras1/idsrv/issue/wsfed?wa=wsignin1.0&wtrealm=http%3a%2f%2flocalhost%3a2533%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fHome%252fAbout&wct=2013-02-11T20%3a48%3a36Z

Log in with the user you created during the Thinktecture STS setup and you should actually receive an error message:

The reason is that the STS does not give out tokens to arbitrary applications. The application first needs to be registered with the STS. We’ll do it now:

Navigate to the STS home page and sign in as an admin. If you followed the video presentation on the Thinktecture STS installation then you’ll have an admin user ready.

Click the ‘administration’ link and select Relying Parties & Resources:

Press the ‘New’ button:

Make sure you specify the same realm as in the web.config:

Press Create.

Re-run our MVC4 demo application and click the About link… …and you’ll most likely receive one more exception: the return URL requires SSL. Didn’t we specify ‘requireSsl’ as false in the web.config file? It turns out that SSL must be disabled on the STS as well.

Go to the STS home page and log in as an admin. Select ‘administration’, protocols and WS-Federation and uncheck the Require SSL option:

Save the changes and run the MVC4 application again. As usual, you can set breakpoints within CustomClaimsTransformer.Authenticate and CustomAuthorisationManager.CheckAccess to see if our custom made claims managers still work.

Select About and you should be redirected to the STS login page. Enter the username and password of the ‘normal’ user you created during the Thinktecture Identity Server installation process and press ‘Sign In’. You should be redirected to the About page meaning that the logi nwas successful.

If you have set the breakpoints in place then you’ll see that code execution stops within our custom claims managers showing that they still work as expected. Feel free to step through the code with F11 and inspect how the Claims collection is built up.

If everything went fine then you’ll be presented with the About page. Great, we’ve just implemented a real STS solution! In addition, all our custom Claims auth managers work exactly the same as before.

In the next post we’ll discuss some more advanced topics.

You can view the list of posts on Security and Cryptography here.