locked
Is SAML and WsFederation are different? RRS feed

  • Question

  • User430178104 posted

    Hi,

    Is SAML and WsFederation (WsFederationAuthenticationOptions) are different? My requirement is i need to login to my app with Azure AD using SAML2 and get the barrier token.

    But i used the below logic, is it fine? but i am not getting barrier token. Please help

    public class Startup
        {
            private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
            private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
            private static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];
            private static string metadata = string.Format("{0}/{1}/federationmetadata/2007-06/federationmetadata.xml", aadInstance, tenant);
    
    
            string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
    
            public void Configuration(IAppBuilder app)
            {
             app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
                app.UseCookieAuthentication(new CookieAuthenticationOptions());
                app.UseWsFederationAuthentication(
                    new WsFederationAuthenticationOptions
                    {
                        TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters()
                        {
                            SaveSigninToken = true,
                            ValidateAudience = true
                        },
                        Wtrealm = realm,
                        MetadataAddress = metadata,
                        Notifications = new WsFederationAuthenticationNotifications
                        {
                             SecurityTokenValidated = context =>
                             {
                                 return Task.FromResult(0);
                             },
                            SecurityTokenReceived = context =>
                             {
                                 return Task.FromResult(0);
                             },
                            MessageReceived = context =>
                          {
                              return Task.FromResult(0);
                          },
                            RedirectToIdentityProvider = (context) =>
                            {
                                return Task.FromResult(0)
                            },
                            AuthenticationFailed = context =>
                            {
                                context.HandleResponse();
                                context.Response.Redirect("Home/Error?message=" + context.Exception.Message);
                                return Task.FromResult(0);
                            }
                        }
                    });
            }
        }

    Monday, June 18, 2018 1:22 PM

All replies

  • User283571144 posted

    Hi pathipati,

    As far as I know, the SAML and WS-Federation are both standards that allow users that have already logged into one site to access another site without logging in again.  They both do this by allowing sites to present proof that a site and a user are who they say they are.  They both support single sign-out and they both support metadata to exchange SSO information between parties.  

    But, the WS-Federation carries its credentials in claims, and the most popular claim type is, ironically, a SAML Assertion.  This leads people to think that WS-Federation and SAML can talk to each other.  It also leads some SaaS vendors to say they support SAML when they really support SAML claims inside WS-Federation.

    So the WS-Federation use the SAML Assertion encrtpy token.

    But i used the below logic, is it fine? but i am not getting barrier token. Please help

    I suggest you could try to use below codes and set a breakpoint at SecurityTokenReceived method to check it could receive the token.

    More details, you could refer to below UseWsFederationAuthentication code:

               app.UseWsFederationAuthentication(
        new WsFederationAuthenticationOptions
        {
            Wtrealm = realm,
            MetadataAddress = metadata,
            Notifications = new WsFederationAuthenticationNotifications
            {
                AuthenticationFailed = context =>
                {
                    context.HandleResponse();
                    context.Response.Redirect("Home/Error?message=" + context.Exception.Message);
                    return Task.FromResult(0);
                },
                SecurityTokenReceived = context =>
                {
                    // Get the token
                    var token = context.ProtocolMessage.GetToken();
                    return Task.FromResult(0);
                }
            }
        });
    

    Best Regards,

    Brando

    Tuesday, June 19, 2018 6:56 AM
  • User430178104 posted

    Hi Brando,

    Thanks for your response and more information. Now i was able to get the Token in SecurityTokenReceived method (context.ProtocolMessage.GetToken()). But this is in XML format. My requirement is i need to bearer token from here and need to pass this bearer token to another app and few Graphs API.

    Please let me know how can i get the bearer token from here. and below is my SAML / WsFed token response.

    <?xml version="1.0" encoding="UTF-8"?>
    <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="....................." IssueInstant="2018-06-19T09:14:51.292Z" Version="2.0">
       <Issuer>https://sts.windows.net/............/</Issuer>
       <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
          <SignedInfo>
             <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
             <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
             <Reference URI="...................">
                <Transforms>
                   <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                   <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <DigestValue>...............</DigestValue>
             </Reference>
          </SignedInfo>.................</SignatureValue>
          <KeyInfo>
             <X509Data>
                <X509Certificate>.....................</X509Certificate>
             </X509Data>
          </KeyInfo>
       </Signature>
       <Subject>
          <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">.............</NameID>
          <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
       </Subject>
       <Conditions NotBefore="2018-06-19T09:09:51.292Z" NotOnOrAfter="2018-06-19T10:09:51.292Z">
          <AudienceRestriction>
            ........................................
          </AudienceRestriction>
       </Conditions>
       <AttributeStatement>
          <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
    	  ......................
          </Attribute>
       </AttributeStatement>
       <AuthnStatement AuthnInstant="2018-06-19T09:14:42.920Z">
          <AuthnContext>
             <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
          </AuthnContext>
       </AuthnStatement>
    </Assertion>

    Tuesday, June 19, 2018 10:22 AM
  • User283571144 posted

    Hi pathipati,

    As far as I know, the azure ad WsFederation auth will return a SAML2.0 token not bear token.

    I suggest you could firstly try below codes to see if you could get the token from the current user identity property.

    Auth setting:

                           app.UseWsFederationAuthentication(
        new WsFederationAuthenticationOptions
        {
            TokenValidationParameters = new TokenValidationParameters { SaveSigninToken = true }
            Wtrealm = realm,
            MetadataAddress = metadata,
            Notifications = new WsFederationAuthenticationNotifications
            {
                AuthenticationFailed = context =>
                {
                    context.HandleResponse();
                    context.Response.Redirect("Home/Error?message=" + context.Exception.Message);
                    return Task.FromResult(0);
                },
                SecurityTokenReceived = context =>
                {
                    // Get the token
                    var token = context.ProtocolMessage.GetToken();
                    return Task.FromResult(0);
                }
            }
        });

    In cotroller you could use below codes:

    var bootstrapContext = ClaimsPrincipal.Current.Identities.First().BootstrapContext as System.IdentityModel.Tokens.BootstrapContext; 
    

    More details, you could refer to below answer:

    https://stackoverflow.com/a/33741500/7609093 

    Best Regards,

    Brando

    Wednesday, June 20, 2018 3:09 AM