New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Any news on .NET Core WS-Federation middleware? #500

Closed
leastprivilege opened this Issue Sep 16, 2016 · 28 comments

Comments

Projects
None yet
@leastprivilege
Contributor

leastprivilege commented Sep 16, 2016

We have several customer who cannot upgrade to .NET core because of the lack of WS-Fed support. Any ETA?

@vibronet

This comment has been minimized.

vibronet commented Sep 16, 2016

Hey there, this is still blocked on dotnet/corefx#1132 - + @joshfree in case he has any updates

@joshfree

This comment has been minimized.

joshfree commented Sep 16, 2016

/cc @danmosemsft who is driving the .NET Core 1.2 release from the corefx side now

@brentschmaltz

This comment has been minimized.

Member

brentschmaltz commented Sep 16, 2016

@danmosemsft in addition to XmlEncrypt, we need XmlDsig.

@brentschmaltz

This comment has been minimized.

Member

brentschmaltz commented Oct 14, 2016

@leastprivilege we will update you when we have a POR.

@vgarcia330

This comment has been minimized.

vgarcia330 commented Dec 8, 2016

I am in a holding pattern. I have a bunch of clients using WS-Federation and they are opposed to placing anything on the cloud for security authentication. I can't really move to .Net Core until this is built in to the framework.

@danmosemsft

This comment has been minimized.

danmosemsft commented Dec 8, 2016

@karelz so he sees this as it depends on dotnet/corefx#1132

@karelz

This comment has been minimized.

karelz commented Dec 8, 2016

cc: @bartonjs @steveharter - we should reflect it in our prioritization

@bartonjs

This comment has been minimized.

bartonjs commented Dec 8, 2016

@brentschmaltz At this point we're only planning on bringing forward the existing SignedXml and EncryptedXml classes from NetFx (once we have time). No improved performance, no redesigned API.

So if you want to keep the performance of the SecurityModel/IdentityModel rewrite you might not be blocked on us.

@karelz

This comment has been minimized.

karelz commented Dec 9, 2016

We plan to meet (I hope next week) and discuss between .NET Core team, WIF team and ASP.NET team what is the best way forward to unblock the scenario.

@adkendall

This comment has been minimized.

adkendall commented Dec 14, 2016

Also in a holding pattern here. I need to use OpenId Connect Code Flow (only possible in .dot net core if my information is correct) but also I need the ws-fed middleware, which isn't available in core. Hoping this post can help boost priority.

@huysentruitw

This comment has been minimized.

huysentruitw commented Jan 11, 2017

Wondering if there is any update on this? We need to decide if we want to use .NET Core or not, but WS-Federation is holding us back.

@karelz how was the meeting? :)

@karelz

This comment has been minimized.

karelz commented Jan 25, 2017

Sorry for the delayed update. We met on 2016/12/14. Three teams were represented: CoreFX (myself), ASP.NET and ActiveDirectory.IdentityModel (@vibronet @brentschmaltz).

Key technical points from our discussion:

  • ActiveDirectory.IdentityModel team is collecting feedback on the need for WS-Fed in .NET Core (@brentschmaltz @vibronet) - it's the driving force behind prioritization and potential funding on their side. Please keep sending the feedback, every +1 helps.
  • There are 2 SignedXml versions:
    1. System.Security.Cryptography.Xml.SignedXml which is part of CoreFX (dotnet/corefx#4278), uses XmlDocument in the API surface. This one is not used at all by WS-Fed code base. It's currently being ported to .NET Core, so it will eventually be extension of .NET Standard 2.0.
    2. System.IdentityModel.SignedXml which shipped as internal/private part of WCF/WIF in System.Identity.dll, uses XmlReader in the API surface - it is a clone of the one in CoreFX to gain better perf.
      • Currently there are no plans to open-source this version or the entire System.IdentityModel, or make it public API, or make it part of CoreFX repo. Its only purpose is to support WS-Fed.
  • ASP.NET team's work seems to be small to support WS-Fed.

As a result, the key parts of supporting WS-Fed on .NET Core are:

  1. Migrate WS-Fed code to .NET Core (which should be cheap-ish with .NET Core 2.0 supporting .NET Standard 2.0),
  2. Decide on how SignedXml is used by WS-Fed, either
    • If System.IdentityModel.SignedXml should be ported to .NET Core and maintained as part of WS-Fed, or
    • If WS-Fed code should migrate to less-performant System.Security.Cryptography.Xml.SignedXml (which might have also impact on WS-Fed related API surface, making it not compatible with Desktop - another thing to consider), or
    • If there are other alternative solutions (e.g. build a thin wrapper of System.IdentityModel.SignedXml API surface on top of System.Security.Cryptography.Xml.SignedXml, translating XmlReader usage to XmlDocument usage), etc.
  3. Migrate ASP.NET code for WS-Fed.

As you can see, the 2nd part is non-trivial and likely costly - from technical point of view it will be the biggest challenge.
Whether and how WS-Fed work will be funded will be driven by business need, which is collected by @vibronet.

Hopefully the write up helps. Sorry if it is not the news you expected - just trying to provide clarity on technical challenges here.

@leastprivilege

This comment has been minimized.

Contributor

leastprivilege commented Jan 25, 2017

Well - I can only re-iterate: We have many customers that use ADFS (e.g. the version that shipped with Server 2012 R2). For them, the absence of WS-Fed middleware is a blocker to move to ASP.NET Core.

An ASP.NET Core WS-Fed MW would not need to be necessarily compatible with .NET Core - everyone I spoke to so far would be fine to run ASP.NET Core on the full .NET Framework for the time being (or until it can be replaced by OpenID Connect MW).

@vibronet

This comment has been minimized.

vibronet commented Jan 26, 2017

@karelz - the statement below is not really accurate.

•ActiveDirectory.IdentityModel team is collecting feedback on the need for WS-Fed in .NET Core (@brentschmaltz @vibronet) - it's the driving force behind prioritization and potential funding on their side.

I want to be extra clear on this point. What we asserted during that meeting is that until the underlying platform does not provide the essential capabilities for doing XML processing, we are not even considering that in planning because it's non-actionable for us. There is no shortage of feedback about the fact that the feature would be useful for customers; but without even the basic capabilities in place, there's nothing we can do. Once the capabilities will be in place in the underlying platform, we will be able to start stackranking it against the other commitments. Until then, it's not even on our radar.

@leastprivilege

This comment has been minimized.

Contributor

leastprivilege commented Jan 26, 2017

So why not do a "full framework only" version to start with? That would be a pretty straightforward port of the Katana MW - and would make your customers happy.

@Asshiah

This comment has been minimized.

Asshiah commented Mar 22, 2017

@brentschmaltz

This comment has been minimized.

Member

brentschmaltz commented Mar 22, 2017

@aashiman our plan is to release wsFed support in April timeframe.

@kbrekke

This comment has been minimized.

kbrekke commented Mar 23, 2017

@brentschmaltz for .NET Core or ASP.NET Core targeting the full FW?

@brentschmaltz

This comment has been minimized.

@ryanbuening

This comment has been minimized.

ryanbuening commented May 25, 2017

@brentschmaltz any update on WS-Federation on .NET Core? Is it available in the 2.0 preview?

@yaronmiz

This comment has been minimized.

yaronmiz commented Jul 6, 2017

Hi, I am also interested on that, since we also have multiple apps using WS-Federation authentication and we consider switching to .NET Core.
Any updates? Noticed no progress in the last two months..

@brentschmaltz

This comment has been minimized.

Member

brentschmaltz commented Jul 7, 2017

@yaronmiz @ryanbuening there has been lots of progress. Our current nightlies have been integrated into a fork of Katana, which has a planned update to the 5.2.0 release. The asp.net team will work with us to get the MW in place for 2.1 Core release. After that both Katana and Core will use the same version of IdentityModel, which will help some very frustrated folks.

Look at the assembly list from 5.1.3 -> 5.2.0. We have added Microsoft.IdentityModel.Xml, Microsoft.IdentityModel.Tokens.Saml, Microsoft.IdentityModel.Protocols.WsFederation in the 5.2.0 pre release.

@Compufreak345

This comment has been minimized.

Compufreak345 commented Jul 7, 2017

@brentschmaltz
Is this fork available publicly?
We are currently evaluating the migration of multiple .Net 4.6.x projects to .Net Core 2.0, and it would be great if I could get WSFederation to work in a Proof of Concept, and maybe even in a productive environment with some manual work. Do you think this is realistic at the current time, or should we wait for the release of 2.1?

@brentschmaltz

This comment has been minimized.

Member

brentschmaltz commented Jul 7, 2017

@Compufreak345 there is no support in asp.net core yet. This is planned in 2.1 release, but they will get a nightlies that you can work with. @Tratcher for additional details.

@Tratcher

This comment has been minimized.

Contributor

Tratcher commented Jul 7, 2017

@WayneCBarker

This comment has been minimized.

WayneCBarker commented Aug 4, 2017

I have several clients that require us to integrate with their identity providers that require ws-federation. We as R & D want to invest in asp.net core and service fabric but this lack of WS-Federation is holding us back. At the moment we are hoping ws-fed will be supported by end of Q4 2018. Does that sound correct?

@Tratcher

This comment has been minimized.

Contributor

Tratcher commented Aug 4, 2017

@WayneCBarker the middleware availability is better tracked here: aspnet/Security#43

@Tratcher

This comment has been minimized.

Contributor

Tratcher commented Oct 9, 2017

An official preview is now available. See aspnet/Security#1473

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment