migrating from wit/wsfederation to owin/wsfederation AND THEN also accepting idtokens

Jun 9, 2014 at 1:47 AM
Edited Jun 9, 2014 at 1:51 AM
Does it make sense to migrate from a classical asp.net WIF-pipeline site to an ASP.NET OWN ws-federation pipeline AND also augment that with the opened connect middleware (accepting posted idtokens)?

I cannot give up ws-federation with SAML1 tokens (too many working partners). I can move from one pipeline to another.

So a mobile client also works with the same site, I'm happy to arrange for the client code to invoke the aad-world's /authorization process, requiring an idtoken be posted to the site (in the middle of a windows store/phone WAB mediated authhost-managed process). In much the same way as done by azure mobile sites, the target SP hosted in ASP.NET+OWIN can take in such a token and mint a proprietary (RSTR+SAML) token, passed back on the redirect uri bearer channel (to be delivered to the client, post WAB interaction). A browser view on the mobile client would then be invoked, post WAB, posting the SAML blob to the classical ws-federation (acs) handlers listening for ws-fedp RSTRs.

Does this make any sense? Can an ASP.NET with OWIN support BOTH pipeline?
Jun 9, 2014 at 5:47 PM
I didn't quite follow your long paragraph, but I think your root question is can you use more than one Katana security middleware at the same time. Yes. You can use as many security middleware as you like, but you'll have to be more deliberate about which you issue a challenge for. The Visual Studio templates show one strategy for this by setting all the middleware to AuthenticationMode.Passive and redirecting you to an auth type selection page. You can also choose to challenge for any specific auth type from any resource.

Consider coming to https://jabbr.net/#/rooms/owin if you want to talk through it with someone.