This project has moved. For the latest updates, please go here.

Deploying OWIN Security in an Enterprise

Sep 3, 2014 at 11:05 PM
I work for a company that has a large ASP.NET footprint (300+ applications managed by 40 development teams around the world). Today we have a custom, in house developed solution for security/SSO. We are planning on replacing this custom solution with standards based security(WS-Fed,OAuth,Open ID) using the new OWIN security modules. The custom security is implemented as an HttpModule that we provide as a NuGet package. When developers install the NuGet package into their ASP.NET project it has a PS script that configures the appropriate settings for the HttpModule in the web.config. As part of our deployment process we also have a tool that allows us to validate that the custom HttpModule is correctly configured in the web.config to avoid insecure deployments.

For our transition to the OWIN security model, I am looking for some guidance or recommendations/best practices for how to deploy it. We will have some standard deployment options (using Azure AD when running in Azure and our on premise STS when running in our datacenters). Ideally I would like to provide a NuGet package that has the correct ConfigureAuth method implemented, but it looks like doing this through NuGet is very difficult. Since I have no way of knowing if the application is one developed in an older version of Visual Studio or with which project template, I have no real easy way to verify the existence or lack thereof for an Owin startup class. If it does exist, it would be challenging to know where exactly to inject in the call to the ConfigureAuth method.

Many of the examples I have found require copy+paste or in the templates uncommenting the correct sections. In the past, before NuGet existed, our configuration and startup code was copy/pasted in by hand by the application developers. We found this to be very error prone and in security configurations errors can be dangerous.

Any thoughts on how to approach a repeatable way of applying OWIN security to applications?
Coordinator
Sep 5, 2014 at 4:05 PM
A mixed approach might work for you. You can reduce the configuration logic to a single callable method injected as a cs file or a library. You can then copy paste the method call into the apps (e.g. app.UseMyCompanyAuth()). This should help limit any copy-paste errors.