Understanding the Thinktecture Web API security with ADFS

1
votes

Here is my current situation. I have an ADFS 2.0 server set up, with two RP web applications connected to it. These applications, App1 and App2, are Web Applications with a Web API backend. Javascript AJAX calls are used.

From my initial understanding of WIF, I thought I could login through the browser and then have access to both applications. This proved incorrect, as I cannot call the Web API functions of App2 from App1. The only way that I can do this is by typing in the URL to App2, only then will my subsequent calls from App 1 work (The correct FedAuth cookie is passed in the header)

So I've been searching and searching for ways to actually call App2's web API from App1, but I've come up empty handed. The closest thing I've got to a solution is (I believe) by adding a message handler, as in this example

http://leastprivilege.com/2013/04/22/asp-net-web-api-security-the-thinktecture-identitymodel-authenticationhandler/

If I understand this correctly, I should be able to make WebAPI receive my SAML2 security token.

My code is as follow:

public static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {

        var authentication = CreateAuthenticationConfiguration();
        config.MessageHandlers.Add(new AuthenticationHandler(authentication));

    }
}

private static AuthenticationConfiguration CreateAuthenticationConfiguration()
    {
        System.Diagnostics.Debugger.Break();
        var authentication = new AuthenticationConfiguration
        {
            ClaimsAuthenticationManager = new MyClaimsAuthenticationManager(),
            EnableSessionToken = true,
            RequireSsl = false
        };

authentication.AddSaml2(
            issuerThumbprint: **Hidden**,
            issuerName: "https://192.168.0.55/adfs/ls/",
            audienceUri: "http://localhost/MyCompany.App2/",
            certificateValidator: X509CertificateValidator.None,
            options: AuthenticationOptions.ForAuthorizationHeader("AdfsSaml"),
            scheme: AuthenticationScheme.SchemeOnly("AdfsSaml"));


        return authentication;
 }

The calls reach MyClaimsAuthenticationManager.Authenticate(), however the IncomingPrincipal is still not authenticated. I have no way to know whether or not it receives a SAML2 token, since I can't debug anything before MyClaimsAuthenticationManager.Authenticate()

My questions:

1) Is it possible to call my App2 Web API functions despite being authenticated in App1? (They use the same ADFS)

2) If it is possible, am I ont the right track using a ThinkTecture AuthenticationHandler?

Thank you.

2
wifthinktecture-ident-model
That's because user is authenticated into App1. App1 is trying to access App2 on behalf of the user. I bet if you made AJAX call from the client of App1 to App2 it would work. In your case you need to delegate user's identity from App1 to App2.Eugene S.
It doesn't work, it doesn't have the FedAuth cookies necessary for App 2, so the call is unauthorized/redirected to the login pageSdupere

2 Answers

0
votes

It's a little unclear from your question if the calls in app 1 to app 2 are from JS or from your server code.

If it's the latter, then in your app 1 if you have the bootstrap token, you can make a ws-trust call back to your STS to get a token for app 2. You'll have to do some reading on WS-Trust -- it's called "delegation".

Edit: I thought you were using IdentityServer as the STS, but I realized you're using ADFS. Both support this feature, BTW.

0
votes

You need to setup an SPN for App 2 for the domain account the IIS web application is running under (that will be the Identity of the Application Pool the application is using). For example : setspn -a http/app2 domain\account. So you must use an application pool which uses not local/network identity but a specific domain account.

Ensure that the IIS application is set to use Application Pool Credential. When it comes to impersonation and delegation you would require to setup delegation targets in AD for the App1 account for the created SPN. Delegation also requires that you set the local security policy "Act as part of the operating system" for the account that does the delegation, in your case it would be the account for App1, that is if you perform impersonation.