How can you use Active Federation to authenticate with an ASP.NET MVC application?

0
votes

I have a WPF application that is using WS-Trust Active Federation over WCF. When the user logs in, the application requests a token from the STS, caches it, and then provides that token to all WCF service calls which require authentication. This application also has a Web Browser View that points to an MVC application that provides additional functionality. I would like to be able to authenticate with the MVC app the same way I do with my WCF services, and provide the app with the same cached token I am using for all my other service calls.

I know how to set up Passive Federation with an MVC app, but is it possible to perform Active Federation for an MVC app using Windows Identity Foundation?

1
asp.net-mvcsecurityauthenticationwifsaml

1 Answers

1
votes

No, you cannot do this without writing custom code. You got a SAML token from the STS that you use to authenticate your service calls (I assume you're talking SOAP services here). You cannot pass a raw SAML token in an HTTP request to authorize the call using WIF.

ASP.NET MVC uses cookies to persist the authentication info between requests. These cookies are set when the STS posts the SAML token back to the MVC app after a successful authentication.

What you could do is use passive mode authentication in the browser control, intercept the postback and extract the SAML token from it before passing it on to the server. Then you could use the intercepted SAML token in your service calls (assuming they have the same relying party identifier).

Alternatively, you could write a custom authentication HTTP module in which you handle a SAML token passed in via the Authorization HTTP header. Mind you that SAML tokens can get very large as they usually contain all the security groups a user is a member of.