Share via

How to Migrate from WS-Federation to OpenID Connect in ASP.NET Framework 4.8?

Mubashir Ali 0 Reputation points
2025-05-22T08:39:48.79+00:00

We currently have an ASP.NET Web Forms application targeting .NET Framework 4.8 that uses WS-Federation with Auth0 configured via web.config for authentication. Due to modernization and security recommendations, we are looking to migrate this setup to OpenID Connect (OIDC) while still staying on .NET Framework 4.8 (not Core).

Our questions are:

What are the exact steps and libraries (e.g., OWIN middleware, Katana, etc.) required to implement OIDC in a .NET 4.8 Web Forms app?

Can OIDC authentication co-exist temporarily with WS-Federation during transition?

How can we store and manage tokens securely post-authentication?

Are there any best practices or official Microsoft documentation for this migration path?

Any guidance or code samples will be highly appreciated.

ASP.NET Core Training
ASP.NET Core Training
ASP.NET Core: A set of technologies in the .NET Framework for building web applications and XML web services.Training: Instruction to develop new skills.
80 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Small Pebbles 0 Reputation points
    2025-05-22T08:41:23.1266667+00:00

    Use the Microsoft.IdentityModel.Protocols.OpenIdConnect and System.IdentityModel.Tokens.Jwt libraries. Update web.config to configure OIDC metadata endpoint, client ID/secret, and redirect URIs. Then replace WS-Fed middleware with OWIN or ASP.NET OIDC middleware for handling tokens and claims.

    0 comments
  2. Pradeep M 9,685 Reputation points Microsoft External Staff Volunteer Moderator
    2025-05-22T11:04:40.2833333+00:00

    Hi Mubashir Ali

    Thank you for reaching out to Microsoft Q & A forum. 

    To migrate from WS-Federation to OpenID Connect (OIDC) in an ASP.NET Web Forms app (.NET Framework 4.8), use OWIN (Katana) middleware.  Install these NuGet packages: Microsoft.Owin.Host.SystemWeb, Microsoft.Owin.Security.Cookies, and Microsoft.Owin.Security.OpenIdConnect.Configure OIDC in a Startup.cs file using cookie authentication and your identity provider (e.g., Auth0).  You can run OIDC and WS Fed side by side during transition and control which flow to use per request.  Tokens are stored in secure cookies by default; store long-lived tokens securely on the server if needed.  Useful reference: Microsoft OWIN Docs.

    If you have found the answer provided to be helpful, please click on the "Accept answer/Upvote" button so that it is useful for other members in the Microsoft Q&A community.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.