ASP .NET Authentication : OWIN middleware component for browser based sign-on using WsFederation

Authentication of ASP .NET Web API using OWIN middleware component with Azure active Directory is made so easy which we all know. For the matter of fact, the Visual studio integration to choose different types of authentication during the creation of Web API made developers life easy compared to the previous ways of onboarding Authentication through identity tooling[I'm sure we all remember the huge web.config :) ] . The new OWIN-based programming model for securing modern ASP.NET applications simply changes the way in which developers think about claim based identity and its integration with their web application.

OWIN components allow you to secure your ASP.NET applications with Windows Azure AD, ADFS and any other identity provider supporting WS-Federation.

Microsoft OWIN components has been explained in great detail in the article and to those who feel OWIN is new can definitely refer to this. Btw, to those who want to read about _OWIN specification_ I would recommend reading https://owin.org/ which has all the wealth of information about OWIN[Open Web Interface for .NET ].

Today to secure our ASP .NET web application that is integrated with Visual Studio we follow a simple initialization logic with a simple code, we can read about the flow here.

The default project today when we create from Visual studio has the following piece of code;

  1: public partial class Startup
  2:     {
  3:         // For more information on configuring authentication, please visit https://go.microsoft.com/fwlink/?LinkId=301864
  4:        public void ConfigureAuth(IAppBuilder app)
  5:         {
  6:             app.UseWindowsAzureActiveDirectoryBearerAuthentication(
  7:                 new WindowsAzureActiveDirectoryBearerAuthenticationOptions
  8:                 {
  9:                     Audience = ConfigurationManager.AppSettings["ida:Audience"],
  10:                      Tenant = ConfigurationManager.AppSettings["ida:Tenant"]
  11:                 });
  12:         }
  13:     }

The audience and the Tenant information is pulled from the configuration and that’s it.. All of it is wired. There are is a lot of configuration that has been reduced and I'm sure people who have been working on the identity integration with the earlier approaches will definitely appreciate the work by Windows Azure Active Directory team, Kudos to them :).

There was a question that came to me during discuss with my friends on how we can enable browser based sign on having to work seamlessly with the OWIN middleware and I though while I answer his question, can quickly post it here as well, as this might help others who are looking for the same …

Coming straight to the Point, Microsoft.Owin.Security.WsFederation Nuget does the magic of how we can have browser based sign on.. For us to have this one to our project, we need to add the below snip of code into ConfigureAuth method of the Startup class ;

 

  1: app.SetDefaultSignInAsAuthenticationType(WsFederationAuthenticationDefaults.AuthenticationType);
  2:            app.UseCookieAuthentication(
  3:                new CookieAuthenticationOptions
  4:                {
  5:                    AuthenticationType =
  6:                       WsFederationAuthenticationDefaults.AuthenticationType
  7:                });
  8:            app.UseWsFederationAuthentication(
  9:                new WsFederationAuthenticationOptions
  10:                {
  11:                     MetadataAddress = "<Federated Metadata>",
  12:                    Wtrealm = "<your realm>"
  13:                });

    This link explains in details of how we can use WsFederationAuthenicationOptions. In short below are the values that we need to set it up to have the passive federation browser based login to work.

Wtrealm: This is the identifier of your application, as assigned when you configured your app in your authenticating authority (in the Windows Azure portal for Windows Azure AD, in the management console for ADFS).
 
MetadataAddress : This value represents the Windows Azure AD tenant (or ADFS instance) you want to use for authenticating your users. If you are writing line of business apps for your own company, this line will likely never change.

If we are wondering about the CookieAuthentication that is added in the above snip of code, it’s the OWIN Cookie Authentication middleware component (we can be downloaded from Microsoft.Owin.Security.Cookie nuget) which not only performs the operation of issuing the cookie and validating the cookie on the subsequent request but also the converts the response and redirect to the login page upon failure. The best part of this middle ware is that it is claim-aware ..

Hope this helps someone who is trying to get the OWIN middleware for enabling browser based sign-on using WsFederation… Happy coding!

Ganesh Shankaran

Software Development Engineer