Sign in
 
.NET Framework Developer Center > .NET Development Forums > Claims based access platform (CBA), code-named Geneva > Single Token with Claims from Multiple Places
Ask a questionAsk a question
Search Forums:
 

Proposed AnswerSingle Token with Claims from Multiple Places

  • Monday, November 02, 2009 4:02 PMKevin Hoffman Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    This question may be the result of me not having spent enough road time with Geneva yet, but here goes.
    I have an application that I'm thinking of migrating from custom forms auth to Geneva authentication for a variety of reasons. This authentication uses Active Directory for the identity, e.g. the username and password are verified against an AD, but the roles for that user come from somewhere else. So I'm wondering how I would configure a Geneva environment to verify the username/password against an active directory and then get a list of roles from a custom database keyed on the AD username.

    Thoughts?
    The .NET Addict - http://dotnetaddict.dotnetdevelopersjournal.com
     

All Replies

  • Monday, November 02, 2009 4:18 PMGarrett Vlieger Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Proposed AnswerHas Code
    Sign In to Vote
    0
    Sign In to Vote
    There are two ways you could approach this:

    1. You can override the roles that are issued by AD using the claim rules settings in your relying party.  Take a look at the Geneva Server documentation to see how to setup your attribute store to pull out your role claims and then how to transform these into the role claim.
    2. If you want, you can also name the roles claim as anything you want.  Then in your web application, you can specify which claims map to the roles for your user.  To do this, use the roleClaimTypes configuration as shown here:

        <SecurityTokenHandlers>
    <remove type="Microsoft.IdentityModel.Tokens.Saml11.
      Saml11SecurityTokenHandler, Microsoft.IdentityModel,Version=0.4.1.0, 
      Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <add type="Microsoft.IdentityModel.Tokens.Saml11.
      Saml11SecurityTokenHandler, Microsoft.IdentityModel,
      Version=0.4.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
      <samlSecurityTokenRequirement audienceUriMode="Never">
        <nameClaimType value="http://schemas.contoso.com/ws/2005/05/
          claims/name"/>        
        <roleClaimTypes>
          <add value="http://schemas.contoso.com/samples/2008/09/claims/
          permission"/>
        </roleClaimTypes>
      </samlSecurityTokenRequirement>
    </add>
  </SecurityTokenHandlers>
    Hope this helps.
     
  • Monday, November 02, 2009 5:54 PMRakesh Bilaney - MSFTModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote

    Yes, as Garrett mentions you can handle this via attribute stores and the claim rules settings.
    For more information:
    Attribute stores: http://technet.microsoft.com/en-us/library/dd727971(WS.10).aspx
    Claims policy language (examples to query the attribute stores for role information): http://technet.microsoft.com/en-us/library/dd807118(WS.10).aspx