Windows Identity Foundation (WIF) Configuration Sections in ASP.NET Web.Config

This post outlines common configuration settings in web.config related to Windows Identity Foundation (WIF) when used with ASP.NET applications.

Summary of Common WIF Configuration Settings

Below is the summary of common configuration setting related to WIF:

• Authentication and Authorization configurations.
• Register Http Modules with ASP.NET pipeline
• Identity Model Configuration Section
• Initializing Audience
• Federation Configuration
• Token Encryption
• Trusted Token Issuers

Rest of this post cover details of each configuration

Authentication and Authorization configurations

• Authentication configured to “None”.
• Authorization configured to deny all unauthenticated users.

<authorization>
  <deny users="?" />
</authorization>
<authentication mode="None" />

Register Http Modules with ASP.NET pipeline

• WIF Http Modules registered with ASP.NET pipeline.
• When working with Development Web Server that ships with Visual Studio (Cassini) modules registered under <system.web.httpModules> section.
• When working with IIS7 modules registered under <system.webServer.modules> section. In that case additional attribute needed preCondition="managedHandler" .
• WSFederationAuthenticationModule added by default. Responsible for redirecting unauthenticated requests. Refer to visuals at Claims-Based Architectures.
• SessionAuthenticationModule added by default. Responsible for maintaining authentication session and parsing tokens into .Net Types. Refer to visuals at Claims-Based Architectures.
• ClaimsAuthorizationModule added by developer in when implementing Claims Based Authorization. For more info - Windows Identity Foundation (WIF) By Example Part III – How To Implement Claims Based Authorization For ASP.NET Application

<add name="WSFederationAuthenticationModule"
type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

<add name="SessionAuthenticationModule"
type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

<add name="ClaimsAuthorizationModule"
type="Microsoft.IdentityModel.Web.ClaimsAuthorizationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

Identity Model Configuration Section

• Required to enable WIF related configuration in web.config. Added by default when adding STS Reference.

<configSections>
  <section name="microsoft.identityModel"
type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>

Initializing Audience

• Required to make sure incoming tokens intended for the application.
• Usually has the URI’s (URL’s) of the application, this is what’s configured in the sample from Windows Identity Foundation (WIF) By Example Part II – How To Migrate Existing ASP.NET Web Application To Claims Aware:

<microsoft.identityModel>
  <service>
    <audienceUris>
      <add value="https://localhost:10130/MigrateWindowsAuthenticationToWIF" />
    </audienceUris>

 

Federation Configuration

• Required by WSFederationAuthenticationModule and by SessionAuthenticationModule.
• issuer – end point of the Token Issuer. In my case it is pointing to SelfSTS that I have used for development purposes in Windows Identity Foundation (WIF) By Example Part II – How To Migrate Existing ASP.NET Web Application To Claims Aware
• realm – value attached to wtrealm. Read more about it here - Windows Identity Foundation (WIF) Explained – Web Browser Sign-In Flow (WS-Federation Passive Requestor Profile)
• requireHttps and requireSsl – specifies whether the communications should be performed over HTTPS (SSL). Make no mistake – you want to specify true for both in production environment.

<federatedAuthentication>
  <wsFederation 
        passiveRedirectEnabled="true"
issuer="https://localhost:8000/STS/Issue/"
realm="https://localhost:10130/MigrateWindowsAuthenticationToWIF"
requireHttps="false" />
  <cookieHandler requireSsl="false" />
</federatedAuthentication>

 

Token Encryption

• Required when tokens are encrypted.
• It’s an optional extra security step in protecting the tokens despite the fact the tokens sent over HTTP (SSL).
• Located in <microsoft.identityModel.service> element.
• This is how it looks for the A Guide to Claims-Based Identity and Access Control – Code Samples (online):

<serviceCertificate>
  <certificateReference x509FindType="FindBySubjectDistinguishedName"
       findValue="CN=adatum" storeLocation="LocalMachine" storeName="My" />
</serviceCertificate>

Trusted Token Issuers

• Required to identify trusted token issuers.
• Makes it possible to verify token being signed by trusted token issuer.

<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
  <trustedIssuers>
    <add thumbprint="313D3B54E2140192A8C7ED626332B6BF9106A9EC" name="SelfSTS" />
  </trustedIssuers>

 

Related Books

• Programming Windows Identity Foundation (Dev - Pro)
• A Guide to Claims-Based Identity and Access Control (Patterns & Practices) – free online version
• Developing More-Secure Microsoft ASP.NET 2.0 Applications (Pro Developer)
• Ultra-Fast ASP.NET: Build Ultra-Fast and Ultra-Scalable web sites using ASP.NET and SQL Server
• Advanced .NET Debugging
• Debugging Microsoft .NET 2.0 Applications

More Info

• Windows Identity Foundation (WIF) and Azure AppFabric Access Control (ACS) Service Survival Guide
• Azure AppFabric Access Control Service (ACS) v 2.0 High Level Architecture – Web Application
• Windows Identity Foundation (WIF) Explained – Web Browser Sign-In Flow (WS-Federation Passive Requestor Profile)
• Protocols Supported By Windows Identity Foundation (WIF)
• Windows Identity Foundation (WIF) By Example Part I – How To Get Started.
• Windows Identity Foundation (WIF) By Example Part II – How To Migrate Existing ASP.NET Web Application To Claims Aware
• Windows Identity Foundation (WIF) By Example Part III – How To Implement Claims Based Authorization For ASP.NET Application
• Identity Developer Training Kit
• A Guide to Claims-Based Identity and Access Control – Code Samples
• A Guide to Claims-Based Identity and Access Control — Book Download