Windows Identity Foundation (WIF) Configuration Sections in ASP.NET Web.Config

This post outlines common configuration settings in web.config related to Windows Identity Foundation (WIF) when used with ASP.NET applications.

Summary of Common WIF Configuration Settings

Below is the summary of common configuration setting related to WIF:

  • Authentication and Authorization configurations.
  • Register Http Modules with ASP.NET pipeline
  • Identity Model Configuration Section
  • Initializing Audience
  • Federation Configuration
  • Token Encryption
  • Trusted Token Issuers

Rest of this post cover details of each configuration

Authentication and Authorization configurations

  • Authentication configured to “None”.
  • Authorization configured to deny all unauthenticated users.

<authorization>
  <deny users="?" />
</authorization>
<authentication mode="None" />

Register Http Modules with ASP.NET pipeline

  • WIF Http Modules registered with ASP.NET pipeline.
  • When working with Development Web Server that ships with Visual Studio (Cassini) modules registered under <system.web.httpModules> section.
  • When working with IIS7 modules registered under <system.webServer.modules> section. In that case additional attribute needed preCondition="managedHandler" .
  • WSFederationAuthenticationModule added by default. Responsible for redirecting unauthenticated requests. Refer to visuals at Claims-Based Architectures.
  • SessionAuthenticationModule added by default. Responsible for maintaining authentication session and parsing tokens into .Net Types. Refer to visuals at Claims-Based Architectures.
  • ClaimsAuthorizationModule added by developer in when implementing Claims Based Authorization. For more info - Windows Identity Foundation (WIF) By Example Part III – How To Implement Claims Based Authorization For ASP.NET Application

<add name="WSFederationAuthenticationModule"
type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

<add name="SessionAuthenticationModule"
type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

<add name="ClaimsAuthorizationModule"
type="Microsoft.IdentityModel.Web.ClaimsAuthorizationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

Identity Model Configuration Section

  • Required to enable WIF related configuration in web.config. Added by default when adding STS Reference.

<configSections>
  <section name="microsoft.identityModel"
type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>

Initializing Audience

<microsoft.identityModel>
  <service>
    <audienceUris>
      <add value="https://localhost:10130/MigrateWindowsAuthenticationToWIF" />
    </audienceUris>

 

Federation Configuration

<federatedAuthentication>
  <wsFederation 
        passiveRedirectEnabled="true"
issuer="https://localhost:8000/STS/Issue/"
realm="https://localhost:10130/MigrateWindowsAuthenticationToWIF"
requireHttps="false" />
  <cookieHandler requireSsl="false" />
</federatedAuthentication>

 

Token Encryption

<serviceCertificate>
  <certificateReference x509FindType="FindBySubjectDistinguishedName"
       findValue="CN=adatum" storeLocation="LocalMachine" storeName="My" />
</serviceCertificate>

Trusted Token Issuers

  • Required to identify trusted token issuers.
  • Makes it possible to verify token being signed by trusted token issuer.

<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
  <trustedIssuers>
    <add thumbprint="313D3B54E2140192A8C7ED626332B6BF9106A9EC" name="SelfSTS" />
  </trustedIssuers>

 

More Info