Windows Identity Foundation (WIF) Explained – Web Browser Sign-In Flow (WS-Federation Passive Requestor Profile)
In his book Programming Windows Identity Foundation (Dev - Pro) Vittorio provides good explanation of how sign-in flow performed in the case of claims aware application. It is based on WS-Federation Sign-In Sequence and called WS-Federation Passive Requestor Profile. The summary of steps are:
- User requests a page from the site (RP – Relying Party).
- User gets redirected to STS (Security Token Service) website for authentication (HTTP 302 with Location header containing STS’ URL). Query string parameters attached:
- wa (action, such as wsign1.0 or wsignout1.0)
- wtrealm (target realm, the original application’s URL)
- wct – optional time stamp when the request was issued. Useful to counter spoofing and replay attacks.
- STS performs authentication of its choice (Basic, Digest, Windows, Client Certificates, Custom) independently of WS-Federation protocol.
- STS renders back HTML form with the following form parameters in it:
- Target has the value of wtrealm, so it can be submitted to original site.
- wa parameter has the original value.
- wresult – either security token[s] in case of successful authentication or a fault otherwise.
- The browser submits the POST request of the form to the original web site (RP – Relying Party).
- If the original web site (RP – Relying Party) created using ASP.NET (do not have to) then WIF (WSFederationAuthenticationModule, FAM) takes care of validating the request and the tokens, the developers needs to do nothing here. If validation succeeds authentication session cookie with the token is issued and the request being redirected to self once more.
- On subsequent requests the cookie (FedAuth[N]) that has the token parsed by SessionAuthenticationModule including parsing the claims and populating ClaimsPrincipal and ClaimsIdentity into the HttpContext.User.
Good explanation for the process and visuals of the sequence including Fiddler captures of the HTTP trafic provided in Claims-Based Architectures from A Guide to Claims–based Identity and Access Control. For deep dive consider reading Michele Leroux Bustamante’s Passive Authentication for ASP.NET with WIF.
Your Choices for WS-Federation Passive Requestor Profile STS
Following are your choices for available STS you can use in your applications:
- For the cloud - Azure AppFabric Access Control Service ACS
- For the enterprise – ADFS 2.0
- Mixing Azure AppFabric ACS and ADFS 2.0 - Access Control Service and ADFS v2 Integration
- For development needs only – SelfSTS
- Build your own - ASP.NET Security Token Service Web Site
More Info
- Protocols Supported By Windows Identity Foundation (WIF)
- Windows Identity Foundation (WIF) By Example Part I – How To Get Started.
- Windows Identity Foundation (WIF) By Example Part II – How To Migrate Existing ASP.NET Web Application To Claims Aware
- Windows Identity Foundation (WIF) By Example Part III – How To Implement Claims Based Authorization For ASP.NET Application
- Identity Developer Training Kit
- A Guide to Claims-Based Identity and Access Control – Code Samples
- A Guide to Claims-Based Identity and Access Control — Book Download