0
votes

I am attempting to build an asp.net 4.7 (v4.5 WIF) using claims based authentication against our internal STS server. We have older working .Net apps (< 4.5) that can successfully get claims.

The issue is that the new app never contacts the STS server.


I surmise the failure is in how I am setting up the federation web.config vs the old. Here is my latest config, non working, followed by a config that works using the old identity process (WIF 3.5).

V4.0 WIF web.config (New 4.7 project)
<system.identityModel>
    <identityConfiguration>
        <audienceUris>
            <add value="urn:jabberwocky" />
        </audienceUris>
        <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
            <trustedIssuers>
                <add thumbprint="{MyThumbprint}" name="https://{MyIssuerURL}" />
            </trustedIssuers>
        </issuerNameRegistry>
        <certificateValidation certificateValidationMode="None" />
    </identityConfiguration>
</system.identityModel>
<system.identityModel.services>
    <federationConfiguration>
        <cookieHandler requireSsl="false" />
        <wsFederation passiveRedirectEnabled="true"
                        issuer="https://{MySTSUrl}"
                        realm="urn:jabberwocky"
                        reply="http://localhost:44301/"
                        requireHttps="true" />
    </federationConfiguration>
</system.identityModel.services>
V3.5 WIF web.config (Old 4.0 project)
<microsoft.identityModel>
  <service>
    <audienceUris>
      <add value="urn:Jabberwocky" />
    </audienceUris>
    <certificateValidation certificateValidationMode="None" />
    <claimsAuthenticationManager type="{Namespace}.MyAuthenticationManager, {Namespace}" />
    <federatedAuthentication>
      <wsFederation passiveRedirectEnabled="true" 
                    issuer="https://{MySTSUrl}" 
                    requireHttps="true" 
                    realm="urn:Jabberwocky" />
      <cookieHandler requireSsl="true" />
    </federatedAuthentication>
    <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
      <trustedIssuers>
        <add thumbprint="{MyThumbprint}" name="https://{MyIssuerURL}" />
      </trustedIssuers>
    </issuerNameRegistry>
  </service>
</microsoft.identityModel>

  • I know it does not hit the STS server because I use an invalid audienceUris value as a test, and I don't get rejected by the server as I would in the old project.
  • I sense it has something to do with the missing federatedAuthentication value in the old but not found in the new.
2
If you want to control what's going on, I suggest switching to programmatic approach. Take a look at my tutorial wiktorzychla.com/2014/11/… As for your current config, make sure both SAM and FAM modules are there too. - Wiktor Zychla
@WiktorZychla put that suggestion as an answer, and I will mark it as such. As I noted on your website, I needed both FAM and SAM. - ΩmegaMan
As for your comment under my blog entry, the FAM isn't required in the web.config if you follow my programmatic approach. It's only required in web.config for static, declarative approach as yours. - Wiktor Zychla
Gotcha, its only relevant if one is doing it non-programmatically. - ΩmegaMan

2 Answers

1
votes

As for your current config, make sure both SAM and FAM modules are there.


If you want to control what's going on, I suggest switching to programmatic approach. Take a look at my tutorial.

1
votes

I ended up having this in my web.config

<system.webServer>
    <modules>
        <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
        <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
    </modules>
</system.webServer>