Adding ACS to the OAUTH clients used in MVC4 Internet template applications


image

image

The web.config changes shown above amend the OAUTH-friendly MVC4 internet-template project. They enable the projects forms-auth based website to export an ACS-friendly assertion consuming service endpoint. The identitymodel configuration section shows how to support the code of a custom IAuthenticationClient registered with the external IDPs. The implementation talks to ACS using ws-fedp and processes its response to determine the nameid claim from an upstream IDP – such as Google – as formulated for the ACS namespace (note well).

The following code snippets show the custom ACS client – variants of which can talk to any ws-fedp IDP, obviously.

image

image

The gotchas to be solved included the need to add the request validation class to httpruntime (excluding from exception raising messages that conform to ws-fedp message response), and the need to add a custom certificate validator class to the SAML2 handler – since the cert validator for the service does not apply (in the case one is not using the pipeline wsfedauth module).

It may be possible to also say, in the token handler, us no validation. But we used the ability to control a custom validation process, as in:

image

One can do better…using digest values, obviously! I just don’t know how to reference the configuration service section, to get hold of the existing list of authorized digests!!

One should be aware of the subtle semantic shift that occurs with this architecture. Now the google name issued to some ACS namespace is linked at, and then used at, domains that are not tied into the google nameid. Obviously, when linking in the linking app, the linking apps’ domain is a kind of relying party. When, in our extended sample, the same linking app is also a ws-fed FP projecting the linked name onto other SP in an SP affiliation, it makes a little more sense that the Google name has lost all its domain-specific properties. This obviously allows linking sites on MULTIPLE domains to use a common ACS (and common Google name linking-reference).

Registration uses different traditions…

image

MVC version, for webmatrix and simplemembership baseline

 

image

asp.net web pages version, using ASP.NET 2.0 classical membership

About these ads

About home_pw@msn.com

http://yorkporc.wordpress.com/about-2/
This entry was posted in SSO. Bookmark the permalink.