Skip to content
This repository has been archived by the owner on Jul 8, 2019. It is now read-only.

How to use? #2

Closed
stefan89 opened this issue Jul 15, 2015 · 5 comments
Closed

How to use? #2

stefan89 opened this issue Jul 15, 2015 · 5 comments

Comments

@stefan89
Copy link

Could someone provide documentation about how to use this plugin?
@brockallen
Copy link
Member

Dup: #1

@senj
Copy link

senj commented Oct 12, 2015

I don't know if i got everything right, but this is how i did it:

  1. WindowsAuthentication Server
    Download this package. I'll use the self-host option.
    This "WindowsAuthentication" Server runs as a seperate process and as an additional IDP for the identity server.

I created the sts certificate, and set some options in the Startup class...

IdpReplyUrl = "https://identityserverurl/core/login",
IdpRealm = "urn:win",
EnableWsFederationMetadata = true

run it. you can check the metadata endpoint under the URL specified in the Program class.

  1. Identity Server
    On the Identity Server, install the Microsoft.Owin.Security.WsFederation nuget package.

In your IdentityServerOptions, add
IdentityProviders = ConfigureAdditionalIdentityProviders. This may look like this

 var options = new IdentityServerOptions
                {
                    SiteName = "IdentityServer3",
                    SigningCertificate = Certificate.Get(),
                    Factory = idSvrFactory,
                    AuthenticationOptions = new AuthenticationOptions
                    {
                        EnablePostSignOutAutoRedirect = true,
                        IdentityProviders = ConfigureAdditionalIdentityProviders,
                    },
                };

then use this piece of code as described in the identity server docs.

var windowsAuthentication = new WsFederationAuthenticationOptions
            {
                AuthenticationType = "windows",
                Caption = "Windows",
                SignInAsAuthenticationType = signInAsType,
                MetadataAddress = "http://localhost:44350/",
                Wtrealm = "urn:win"
            };
            app.UseWsFederationAuthentication(windowsAuthentication);

The Wtrealm of WsFedAuthOptions and the IdpRealm on AuthenticationServer must match, else you'll get an error like this:

IDX10214: Audience validation failed. Audiences: 'urn:win'. Did not match:  validationParameters.ValidAudience: 'urn:win1' or validationParameters.ValidAudiences: 'null'

If I use my client page to access a protected resource I'll get a redirect to Identity Server, pick the "Windows" authentication provider, get a (ws fed) redirect to the WindowsAuthentication Server, see the consent page (with OAuth URL parameters) and login.

The one thing that doesn't work in my example is the redirect after logout. I can specify a wreply URL in WsFederationAuthenticationOptions and change the AuthenticationController to redirect, but that won't work if I have different clients.

@leastprivilege
Copy link
Member

you don't need the WsFed plugin. Unless you want to talk WsFed from Client to Idsrv

@senj
Copy link

senj commented Oct 12, 2015

Yes, sorry, I got that one now.

@jasperzig
Copy link

Does anyone have a more complete working example? I've been trying to gather snippets from across the web to get this to work, and nothing so far has done it.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@brockallen @leastprivilege @stefan89 @jasperzig @senj