Atomia Identity

Authenticating user to access web application using sign-in form with username and password

29 views 0

Overview

Atomia Identity login setup process

Image: Atomia Identity login setup process.

Atomia Identity STS Configuration

In order for STS to identify the user for the web application, it has to be hosted on the web server and provide some login page where your application will redirect for logging in. When you log in SAML token with claims is created by the STS and you will be redirected back to your application. To make the service to be able to create a token it must contain the page that needs to check if the user need to be redirected to the login page and to translate SAML token (in our example that page will be titled as PassiveStsEndPoint.aspx).

Also in the web.config of the Atomia Identity (STS) we need to define relaying party application address:

<relyingPartyConfiguration>
<relyingParty>
...
<add storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName" findValue="CN=UCP Core" rpAddress="http://localhost/MvcIdentity"/>
</relyingParty>
</relyingPartyConfiguration>

For the Atomia Identity (STS) we must set which Certificate Provider to use for our web application URI:

<type type="IRpCertProvider" mapTo="AtomiaRpCertificateProvider" name="http://localhost/MvcIdentity">
</type>

We should also set what claims types will need to provide Atomia Identity for our web application

In element with xpath configuration\atomiaSTSConfig\passiveRpClaimRequests should be added element that looks like:

<realm address="http://localhost:63340/">
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"/>
<add claimType="http://schemas.atomia.com/atomia/2009/04/identity/claims/groups"/>
</realm>

Web Application Configuration

  • In order to reference and use the Atomia Identity (STS), one should have Microsoft Geneva Framework installed and referenced as a dll (Microsoft.IdentityModel.dll). You can download and install from this url – download Geneva Framework.
  • In order to use Atomia Identity (STS) there are also some config sections should be implemented in web.config file.
<configSections>
...
<section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
..
</configSections>
...
<microsoft.identityModel>
<service>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add name="CN=UCP Authorization Service" thumbprint="bb4afe0efc6ab35a1006355c231e5b3a5d829625"/>
</trustedIssuers>
</issuerNameRegistry>
<audienceUris>
<add value="http://localhost/MvcIdentity"/>
</audienceUris>
<securityTokenHandlers>
<add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
</add>
</securityTokenHandlers>
<federatedAuthentication>
<wsFederation requireHttps="false" passiveRedirectEnabled="true" issuer="http://localhost:50680/AtomiaIdentityStS/PassiveStsEndpoint.aspx" realm="http://localhost/MvcIdentity" ></wsFederation>
<cookieHandler requireSsl="false"/>
</federatedAuthentication>
<serviceCertificate>
<certificateReference x509FindType="FindBySubjectName" findValue="UCP Core" storeLocation="LocalMachine" storeName="My"/>
</serviceCertificate>
</service>
</microsoft.identityModel>
...
<system.web>
...
<authentication mode="None"/>
...
<httpModules>
...
<add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
<add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
...
</httpModules>
</system.web>
...
<system.webServer>
<modules>
<add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
<add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler"/>
...
  • First section is the microsoft.identityModel
    • in the configSections copy the section tag that adds the microsoft.identityModel configuration.
    • take the whole section microsoft.identityModel and copy to the web.config.
    • in trustedIssuers section you add the issuer you trust (name of the STS service and the thumbprint of its certificate).
    • in audienceUris set your url identification.
    • federatedAuthentication/wsFederation attribute issuer set the url of the STS’ page that accepts authentication request and translates the SAML token into set of claims (in above – STS configuration section – we used to call that page PassiveStsEndPoint.aspx).
  • system.web section
    • For the authentication tag set the attribute mode to None since we are using external STS authentication service.
    • The next step inserts 2 new HttpModules in the pipeline.
  • In the system.webServer/modules need to add same two modules as in the previous httpModules section.
  • Set the attribute enabled to false in the <roleManager> tag.

When all above is set the web application is ready to use the STS as an authentication provider. No other membership providers or authentication section need to be defined in the configuration file.

Using authorization data in the web application

The usage of the application after this configuration is quite easy.

  1. Define pages those need the authorization (using web.config or using ClassAttributes [UCP:Authorize] before methods definitions in the MVC controllers classes).
    1. In ASP.NET web forms for the current directory in web.config you need to set
      <authorization>
      <deny users="?" />
      </authorization>
      
    2. In ASP.NET MVC, above the method definition in the controller class that do some action you need to put the attribute class [UCP:Authorize]
      [Authorize]
      public ActionResult Management()
      {
      return View();
      }
      
  2. In both cases above when the user tries to access pages those require to be authorized he will be redirected to the STS Login page.
  3. When the web application is being authenticated we are able to read claims provided by the STS.
  4. IClaimsIdentity contains property Claims represents the ClaimsCollection.
  5. Every claim in collection is of type Claim which contains basic claim property as ClaimType and Value.

Therefore Relaying Party (RP) service by the given set of claims could authorize the user for some actions.

IClaimsIdentity claimsIdentity = Thread.CurrentPrincipal.Identity as IClaimsIdentity;
foreach (Claim claim in claimsIdentity.Claims)
{
Console.WriteLine(claim.ClaimType);
Console.WriteLine(claim.Value);
}

or if it is asp.net web form page

IClaimsIdentity ci = User.Identity as IClaimsIdentity;
foreach (var claim in ci.Claims)
{
Response.Write(string.Format("<div>Clam type: {0}; Claim value: {1}; Claim issuer: {2}</div>",
claim.ClaimType, claim.Value, claim.Issuer));
}

Was this helpful?