Dynamic Realm and ACS

Question

We are building a multi tenant MVC application where each tenant will be have its own DNS prefix by using a DNS wildcard. Question is whether it is safe to use the following code to adapt the federation realm - such that ACS can match the realm to a known relying party? If not what could the alternative be?:

voidApplication_AuthenticateRequest(objectsender, EventArgse)

{

FederatedAuthentication.WSFederationAuthenticationModule.Realm = Request.Url.Scheme + "://"+ Request.Headers["Host"].ToLower() + "/";

}

Answer 1

Hi Lars,

Yes, this is a technique that is used often, for example to support a staging/acceptance/production environment on the same namespace. But you should use the following method instead of Application_AuthenticateRequest: WSFederationAuthenticationModule_RedirectingToIdentityProvider   

Here is an example of how I do it: (from my blog: http://fabriccontroller.net/blog/a-few-tips-to-get-up-and-running-with-theazure-appfabric-access-control-service)

    private void WSFederationAuthenticationModule_RedirectingToIdentityProvider(object sender, RedirectingToIdentityProviderEventArgs e)
    {
        // Get the request url.
        var request = HttpContext.Current.Request;
        var requestUrl = request.Url;
 
        // Build the realm url.
        var realmUrl = new StringBuilder();
        realmUrl.Append(requestUrl.Scheme);
        realmUrl.Append("://");
        realmUrl.Append(request.Headers["Host"] ?? requestUrl.Authority);
        realmUrl.Append(request.ApplicationPath);
        if (!request.ApplicationPath.EndsWith("/"))
            realmUrl.Append("/");
        e.SignInRequestMessage.Realm = realmUrl.ToString();
    }

Hope this helps.

Sandrino

---

Sandrino Di Mattia | Twitter: http://twitter.com/sandrinodm | Azure Blog: http://fabriccontroller.net/blog | Blog: http://sandrinodimattia.net/blog