none
Dynamic Realm and ACS

    問題

  • We are building a multi tenant MVC application where each tenant will be have its own DNS prefix by using a DNS wildcard. Question is whether it is safe to use the following code to adapt the federation realm - such that ACS can match the realm to a known relying party? If not what could the alternative be?:

    voidApplication_AuthenticateRequest(objectsender, EventArgse)

    {

    FederatedAuthentication.WSFederationAuthenticationModule.Realm = Request.Url.Scheme + "://"+ Request.Headers["Host"].ToLower() + "/";

    }

    2012年3月28日 上午 08:47

解答

  • Hi Lars,

    Yes, this is a technique that is used often, for example to support a staging/acceptance/production environment on the same namespace. But you should use the following method instead of Application_AuthenticateRequest: WSFederationAuthenticationModule_RedirectingToIdentityProvider   

    Here is an example of how I do it: (from my blog: http://fabriccontroller.net/blog/a-few-tips-to-get-up-and-running-with-theazure-appfabric-access-control-service)

        private void WSFederationAuthenticationModule_RedirectingToIdentityProvider(object sender, RedirectingToIdentityProviderEventArgs e)
        {
            // Get the request url.
            var request = HttpContext.Current.Request;
            var requestUrl = request.Url;
     
            // Build the realm url.
            var realmUrl = new StringBuilder();
            realmUrl.Append(requestUrl.Scheme);
            realmUrl.Append("://");
            realmUrl.Append(request.Headers["Host"] ?? requestUrl.Authority);
            realmUrl.Append(request.ApplicationPath);
            if (!request.ApplicationPath.EndsWith("/"))
                realmUrl.Append("/");
            e.SignInRequestMessage.Realm = realmUrl.ToString();
        }

    Hope this helps.

    Sandrino


    Sandrino Di Mattia | Twitter: http://twitter.com/sandrinodm | Azure Blog: http://fabriccontroller.net/blog | Blog: http://sandrinodimattia.net/blog

    2012年3月28日 上午 09:07