Dynamic Realm and ACS


  • We are building a multi tenant MVC application where each tenant will be have its own DNS prefix by using a DNS wildcard. Question is whether it is safe to use the following code to adapt the federation realm - such that ACS can match the realm to a known relying party? If not what could the alternative be?:

    voidApplication_AuthenticateRequest(objectsender, EventArgse)


    FederatedAuthentication.WSFederationAuthenticationModule.Realm = Request.Url.Scheme + "://"+ Request.Headers["Host"].ToLower() + "/";


    2012年3月28日 上午 08:47


  • Hi Lars,

    Yes, this is a technique that is used often, for example to support a staging/acceptance/production environment on the same namespace. But you should use the following method instead of Application_AuthenticateRequest: WSFederationAuthenticationModule_RedirectingToIdentityProvider   

    Here is an example of how I do it: (from my blog:

        private void WSFederationAuthenticationModule_RedirectingToIdentityProvider(object sender, RedirectingToIdentityProviderEventArgs e)
            // Get the request url.
            var request = HttpContext.Current.Request;
            var requestUrl = request.Url;
            // Build the realm url.
            var realmUrl = new StringBuilder();
            realmUrl.Append(request.Headers["Host"] ?? requestUrl.Authority);
            if (!request.ApplicationPath.EndsWith("/"))
            e.SignInRequestMessage.Realm = realmUrl.ToString();

    Hope this helps.


    Sandrino Di Mattia | Twitter: | Azure Blog: | Blog:

    2012年3月28日 上午 09:07