Custom STS with Custom Database

Question

Hi,

I want to create one Custom STS which uses Custom SQL Azure Database for authentication means the custom STS that i will create will use the USER Table for authentication and some other tables for autherization.

At first i look into the http://identityserver.codeplex.com/ but it is using Membership database for authentication and autherization.

Then i decided to create my own sts and start creating Autherization rule in ACS itself using management API. So i start looking into Custom STS Template available inside the Visual Studio Create project Wizard.

BUT I AM NOT SURE HOW TO USE MY USER TABLE WITH THIS CUSTOM STS FOR AUTHENTICATION.

Could anybody suggest me something.

So what i am trying to achive

1.) My Custom sts will authenticate from my Custom Database (User Table)

2.) Autherization rule will be created in Azure ACS during Signup process and will return as claim after authentication is done..

Please suggest me some thing to implement these scenario.

Thanks in Advance

Munish Bhargav 

Answer 1

If you use the WIF project template to create an STS project, it is just a normal ASP.NET application. You can configure it to use forms authentication and ASP.NET membership, and you can create a custom membership provider so it can use your custom database table. If you have general questions about creating custom STS using WIF, you can post them on http://social.msdn.microsoft.com/Forums/en-US/Geneva/threads. If you have general questions about ASP.NET membership, you can post them on http://forums.asp.net/25.aspx/1?Security

---

Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework

Answer 2

IdentityServer only uses membership by default. If you have a custom store, you only need to implement the IUserRepository interface.

The WIF SDK STS template is really just a barebones sample and is missing many important security features...

---

Dominick Baier | thinktecture | | @leastprivilege http://www.leastprivilege.com

Answer 3

Thanks Arwind and Domonick for reply,

Arwind/

Could you please refer me some arcticle what you are suggesting.

Arwind/Domnick

Authentication is one part also i need to take care authorization(not from custom Database) 

Let me explain:

1.) Whenever user signup a user will created in Users database(Username/Password) also it will create roles(Admin/Customer) and permission in ACS itself using management api.

2.) So next time user authentication from User database the claims and token will return from ACS so that user can be authorize. 

Also i want to secure my WEB API with this ACS Token.

Please suggest something.

Answer 4

Hi Munish,

If you use the STS project template provided by WIF SDK, it creates the infrastructure for you. All you need to do is implement the authentication logic. You can refer to http://msdn.microsoft.com/en-us/IdentityTrainingCourse_MembershipAndFederationLab2010 for a tutorial on how to integrate ASP.NET membership with custom STS. You can modify the sample to use your own membership provider instead of the default SQL Server membership provider.

I’m not familiar with Identity Server, but according to Dominick, you can implement IUserRepository to provider you own user storage.

As for authorization, it is handled by ACS. Your STS needs to return required claims to ACS, and use ACS rules to translate them to role claims. For example, you may have a rule whose input claim is: username: me, and out put claim is: role: administrator.

BR,

Arwind

---

Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework

Answer 5

Sorry Arwind for late reply,

You clearly got my requirement. 

I need to authenticate by Custom STS DB and Autherization and return claim from ACS.

I did the first part could you give me some help article for Creating and returning custom rules in ACS.

Dominick/

I am able to login with custom STS (Identity Server). But when i used it from client app it didnot redirect to my client app. Could you tell me why this is so??

Any kind of help is very appreciable..

Thanks

Munish Bhargav

Answer 6

Hi Munish,

I'd like to suggest you  refer to below link:

http://msdn.microsoft.com/en-us/library/windowsazure/gg185923.aspx

Hope this helps.

---

Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework

Answer 7

Dominick/

Please suggest something, Why i am not able to redirect to my client application from where i shoot the Custom STS.

I am able to login with custom STS (Identity Server). But when i used it from client app it didnot redirect me back to my client app. Could you tell me why this is so??

Thanks

Munish Bhargav

Answer 8

Hi Munish,

WReply is the parameter that would actually any STS would expect. It's STS responsibility to redirect back to the URL specified in the WReply.

You need to code for that in your custom STS application. The following lines are responsible for redirecting the response back to the client.

SecurityTokenService sts = new CustomSecurityTokenService( CustomSecurityTokenServiceConfiguration.Current );
SignInResponseMessage responseMessage = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest( requestMessage, User, sts );
FederatedPassiveSecurityTokenServiceOperations.ProcessSignInResponse( responseMessage, Response );

To your other question take a look at this blog on how to configure your custom STS with ACS. If you see chinese version of the blog use translator control to convert english.

---

Please mark the replies as Answered if they help and Vote if you found them helpful.

Answer 9

Thanks Veerendra for reply,

Are you talking this in context of IdentityServer?

The return url is not proper in my apps wreply (which should me https://hanusecurityframework.cloudapp.net/Dashboard.aspx isn't it)

https://hanusecurityframework.cloudapp.net/Account/SignIn?ReturnUrl=%252fissue%252fwsfed%253fwa%253dwsignin1.0%2526wtrealm%253dhttps%25253a%25252f%25252fhanusecurityframeworknamespace.accesscontrol.windows.net%25252f%2526wreply%253dhttps%25253a%25252f%25252fhanusecurityframeworknamespace.accesscontrol.windows.net%25253a443%25252fv2%25252fwsfederation%2526wctx%253dcHI9d3NmZWRlcmF0aW9uJnJtPWh0dHAlM2ElMmYlMmZoYW51aW5jbG91ZC5jbG91ZGFwcC5uZXQlMmY1

Ok here is My apps access point.

Custom STS - https://hanusecurityframework.cloudapp.net/

Client app which uses this STS - http://hanuincloud.cloudapp.net/

The chinees version is the OLD version of same STS.

Please suggest some thing

Thanks

Answer 10

I see WREPLY parameter going in the STS call. In your case you client app is talking to ACS and ACS is talking to your STS. The reply should go back to your ACS and from there it should come back to your client app.

Can you do a fiddler or httpwatch trace and see where it is stopping to see where the bottleneck is exactly.

---

Please mark the replies as Answered if they help and Vote if you found them helpful.

Answer 11

Hi Veerendra,

Thanks for your valuable suggestion.

according to your suggestion i split the returnUrl via wreply and extract the wreply and after sucessfull loging i redirect the user to this wreply url but it shows the Runtime Error Yellow page

Below is the redirect url after login success.

https://hanusecurityframeworknamespace.accesscontrol.windows.net/v2/wsfederation&wctx=cHI9d3NmZWRlcmF0aW9uJnJtPWh0dHAlM2ElMmYlMmZoYW51aW5jbG91ZC5jbG91ZGFwcC5uZXQlMmY1

Veerendra could you confirm is this the same that you suggesting? If yes then could you please suggest something why this is so?  

After these changes. Fiddler is suggesting same that you are suggesting.

measns after authentication it redirecting to ACS but didnot returing back to client app.

Thanks

Munish

Answer 12

Munish,

the code i mentioned in my reply does the redirection if you implement the same way.

Can you do one thing, just directly federate with your Custom STS and see if you are getting claims from it.

Then federate through ACS and see where exactly it is stopping.

If it is stopping at ACS, check whether you have configured reply parameter in ACS properly or not. When you onboard RP in ACS you need to specifiy the reply URL in ACS, see if you have it configured or not.

---

Please mark the replies as Answered if they help and Vote if you found them helpful.

Answer 13

Thanks Veerendra for followup,

I was not able to federate it with Custom STS means when i added the sts reference of custom sts to my own application ans run it didnot rediect to my sts.

Also i configured the RP to ACS properly. you can see the screen attached 

Please suggest something.

Thanks

Munish Bhargav.

Answer 14

Hi, you need to add STS references using federation utililty. Hope you have done the same way.

First try to attach the debugger for both your application and Custom STS and see where it is failing. Once you get your fedeation working between your application and custom STS then you can configure with ACS. It's easy to troubleshoot the problems with custom STS first with sample application and then you configure that in ACS.

Can you post identity model configuration of your client application after you added the references directly to custom STS?

---

Please mark the replies as Answered if they help and Vote if you found them helpful.

Answer 15

Thanks so much Veerendra for reply.

Yes I added STS reference using fedeation utility.

Here is config file please suggest something 

<?xml version="1.0"?>
<!--
  For more information on how to configure your ASP.NET application, please visit
  http://go.microsoft.com/fwlink/?LinkId=169433
  -->
<configuration>
  <configSections>
    <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
  </configSections>
  <appSettings>
    <add key="FederationMetadataLocation" value="https://127.0.0.1:444/FederationMetadata/2007-06/FederationMetadata.xml"/>
  </appSettings>
  <location path="FederationMetadata">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>
  <system.web>
    <authorization>
      <deny users="?"/>
    </authorization>
    <authentication mode="None"/>
    <compilation debug="true">
      <assemblies>
        <add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
      </assemblies>
    </compilation>
    <httpModules>
      <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
      <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
    </httpModules>
  </system.web>
  <system.webServer>
    <modules>
      <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler"/>
      <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler"/>
    </modules>
  </system.webServer>
  <microsoft.identityModel>
    <service>
      <audienceUris>
        <add value="http://127.0.0.2/"/>
      </audienceUris>
      <federatedAuthentication>
        <wsFederation passiveRedirectEnabled="true" issuer="https://127.0.0.1/issue/wsfed" realm="http://127.0.0.2/" requireHttps="false"/>
        <cookieHandler requireSsl="false"/>
      </federatedAuthentication>
      <applicationService>
        <claimTypeRequired>
          <!--Following are the claims offered by STS 'http://identityserver.azure.thinktecture.com/trust/initial'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
          <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true"/>
          <claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true"/>
          <!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="true" />-->
        </claimTypeRequired>
      </applicationService>
      <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <trustedIssuers>
          <add thumbprint="CCC7924B470CE8C70DBADEE6992BC5D616AB434D" name="http://identityserver.azure.thinktecture.com/trust/initial"/>
        </trustedIssuers>
      </issuerNameRegistry>
    </service>
  </microsoft.identityModel>
</configuration>

Thanks

Munish Bhargav

Answer 16

I did not see major issue with config. Can you add the following settings to <system.webserver> tag?

  <system.webServer>
    <validation validateIntegratedModeConfiguration="false" />
    <modules runAllManagedModulesForAllRequests="true">
      <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
      <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
    </modules>
  </system.webServer>

Also try to use fqdn instead of IP addresses for your URLs. manage the fqdns with host entries!

---

Please mark the replies as Answered if they help and Vote if you found them helpful.