Skip to content

Instantly share code, notes, and snippets.

@michaelkc

michaelkc/WsFedAppBuilderExtensions.cs

Created April 8, 2016 11:33
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save michaelkc/c3cdb7acb2ae7fadba2dbd18ef53f40c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save michaelkc/c3cdb7acb2ae7fadba2dbd18ef53f40c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
WsFedAppBuilderExtensions.cs
using System;
using System.Configuration;
using System.IdentityModel.Tokens;
using System.Net.Http;
using System.Security.Claims;
using System.Threading.Tasks;
using Dlbr.CommonLogin.Owin;
using Microsoft.IdentityModel.Extensions;
using Microsoft.IdentityModel.Protocols;
using Microsoft.Owin.Logging;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.DataHandler;
using Microsoft.Owin.Security.DataProtection;
using Microsoft.Owin.Security.Notifications;
using Microsoft.Owin.Security.OAuth;
using Microsoft.Owin.Security.WsFederation;
namespace Owin
{
public static class AppBuilderExtensions
{
private const string AppSettingsKeyRealm = "ida:Wtrealm";
private const string AppSettingsKeyAdfsMetadata = "ida:ADFSMetadata";
public static WsFederationAuthenticationOptions CreateDefaultWSFederationOptionsFromConfig(this IAppBuilder app)
{
string realm = ConfigurationManager.AppSettings[AppSettingsKeyRealm];
string adfsMetadata = ConfigurationManager.AppSettings[AppSettingsKeyAdfsMetadata];
return app.CreateDefaultWSFederationOptions(realm, adfsMetadata);
}
public static WsFederationAuthenticationOptions CreateDefaultWSFederationOptions(this IAppBuilder app, string realm, string adfsMetadata)
{
return new WsFederationAuthenticationOptions
{
Wtrealm = realm,
MetadataAddress = adfsMetadata,
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = ClaimTypes.NameIdentifier
},
Notifications = new WsFederationAuthenticationNotifications
{
RedirectToIdentityProvider = args =>
{
DoNotRedirectToIdpWhenAuthenticatedButNotAuthorized(args);
DoNotRedirectToIdpWhenAuthorizationHeaderIsPresent(args);
return Task.FromResult(0);
}
}
};
}
private static void DoNotRedirectToIdpWhenAuthorizationHeaderIsPresent(RedirectToIdentityProviderNotification<WsFederationMessage, WsFederationAuthenticationOptions> args)
{
if (args.OwinContext.Request.Headers.ContainsKey("Authorization"))
{
args.State = NotificationResultState.HandledResponse;
}
}
private static void DoNotRedirectToIdpWhenAuthenticatedButNotAuthorized(RedirectToIdentityProviderNotification<WsFederationMessage, WsFederationAuthenticationOptions> args)
{
if (args.OwinContext.Authentication.User.Identity.IsAuthenticated && args.ProtocolMessage.IsSignInMessage)
{
args.State = NotificationResultState.HandledResponse;
}
}
public static IAppBuilder UseWsFederationSignout(this IAppBuilder app)
{
// http://leastprivilege.com/2015/07/08/federated-logout-with-the-katana-ws-federation-middleware/
app.Use(async (ctx, next) =>
{
var qs = ctx.Request.Query;
var wa = qs.Get("wa");
if (wa != null)
{
if (wa == "wsignoutcleanup1.0")
{
ctx.Authentication.SignOut(CookieAuthenticationDefaults.AuthenticationType);
}
}
await next();
});
return app;
}
public static IAppBuilder UseWsFederationAndCookieAuthenticationWithDefaults(this IAppBuilder app)
{
string realm = ConfigurationManager.AppSettings[AppSettingsKeyRealm];
string adfsMetadata = ConfigurationManager.AppSettings[AppSettingsKeyAdfsMetadata];
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication();
app.UseWsFederationAuthentication(app.CreateDefaultWSFederationOptions(realm, adfsMetadata));
app.UseWsFederationSignout();
return app;
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment