WS Federation Multiple Providers

May 27, 2014 at 11:51 PM
Hi,

I'm trying to get a solution up and running that requires me to authenticate against multiple ws-fed providers. It works great and as expected when there is a single provider but as soon as there are more than one things get weird when trying to validate signatures etc.

I'm setting them up with the same options etc. apart from MetadataAddress and AuthenticationType (I prepend the provider name to the ".Federation").

I also have trouble getting it to send the user to the login path (i.e. with cookie auth) as I need the user to be able to select what provider to use. However I can only get that to work if the UseCookieAuthentication call is after when I setup wsfed and not before?
Coordinator
May 28, 2014 at 4:31 PM
Note that the WsFed middleware have their AuthenticationMode set to Active by default. This is convenient when they are solo, but can cause problems when you try to use multiple auth middleware together. Here are a few suggestions:
  • Set both WsFed middleware to Passive.
  • Put the cookie middleware first.
  • You may want to change the Caption so you can identify them on the login page.
  • You should set the Wreply for each to include a unique sub-path. This will keep them from trying to validate each other's tokens.
Marked as answer by Tratcher on 6/11/2014 at 9:59 PM
Jun 12, 2014 at 4:22 AM
Thanks,

This solved my issues completely :)
Jun 30, 2014 at 5:25 AM
Technicolour wrote:
I'm setting them up with the same options etc. apart from MetadataAddress and AuthenticationType (I prepend the provider name to the ".Federation").
Do you have any source code of this? I am struggling on my end to enable multiple ADFS providers.

I am doing this:
https://github.com/darbio/Phoenix.Net/blob/feature/ADFS/Src/Phoenix.API/App_Start/Startup.Auth.cs#L50-L61

But I always have to name the provider "Federation" otherwise I don't get redirected to the ADFS login page.
Coordinator
Jun 30, 2014 at 5:13 PM
Instead of setting the Description directly, set WsFederationAuthenticationOptions.AuthenticationType = "MyType.Federation", and WsFederationAuthenticationOptions.Caption = "MyCaption"
Jun 30, 2014 at 8:32 PM
Yeah I was using string.Format("{0}.Federation, type) but the outcome is the same. I would highlight the Caption being pretty important in making it not confusing as well.
Jul 1, 2014 at 12:14 AM
Edited Jul 1, 2014 at 12:42 AM
That appears to be working, up until the point of ValidateClientRedirectUri.

Does this use OAuth 2 or another mechanism?
Coordinator
Jul 1, 2014 at 4:30 PM
The protocol name is Ws-Federation.