WIF SDK and dotNet 4.0 SAML authenticationStatement (and cert)

We can make an Office365-like assertion using nothing but the default template for adding a new website using the ASP.NET passive STS template…


We managed to make a trivial change to the auto-generated starter code so all the work of the previous memo was output:


The original code…


…becomes (in principle)


Yes, that little dance of 3 lines causes the outputIdentity to have its isAuthenticated property set..and for the nameidentifier to become assigned as the authenticationStatement’s subject. The critical thing to do is have the “custom” (or any other named object) present in the construct. It sets “IsAuthenticated=true”  – which triggers the output formatting (as you now would expect, no!)

The idea came from reading http://leastprivilege.com/2012/09/24/claimsidentity-isauthenticated-and-authenticationtype-in-net-4-5/ – which had the hint worth following up….

Note if you omit the first two lines, you can set the authorization statement’s nameidentifier (but no authenticationStatement – obviously with no subject value equal to the nameidentifier – is produced.) Similarly, you can add claims of authnInstant and authnMethod by hand to the output bag. These will create an authentication Statement (but no subject field, within)!

All makes perfect sense (now I know!).


Now, what do we do so that the formatting of the ws-fedp “wrapper” tags around the assertion be the simple one-element response (vs a collection of 1 responses) – just like that produced by ADFS 1.0?


Gawd, I feel so stupid. But not as stupid as the three American doctors who recently told my wife she was constipated (when it was a horrendous gall stone, requiring organ removal). Or the other American doctor who  told her the rash was nothing (when it was Shingles)… But, thankfully MRIs and CatScans (using nice noise reducing algorithms that are (nice) sideeffects of the cryptowars) save the day for internal medicine, since now you can actually see what’s going on…if only you have the skill to get passed the money-saving insurance company trying to prevent you getting access to them…

But having 5 advanced imaging scans available in properly-funded/profitable American hospitals doesn’t always help (as my daughter found out, yesterday). Assumed to be major kidney pain issues (logical, given the pain source and the surgery history), noone  – including me – looked for 4 weeks at the strange shadows near her spine on the CT scan, just where certain back muscles attach…and which can be *so* stressed they spasm wildly…at the merest touch


About home_pw

Computer Programmer who often does network administration with focus on security servers. Sometimes plays at slot machine programming.
This entry was posted in SAML, SSO. Bookmark the permalink.