You can use the Windows Identity Foundation SDK to replace the authentication scheme of your ASP.NET web application. Most notably, this is useful for making your application claims-aware, which allows it to seamlessly play together with solutions like Active Directory Federation Services or the Windows Azure AppFabric Access Service. This is useful for a various number of SSO and federated authentication scenarios.
Basically, what you do is that you switch off the built-in authentication in ASP.NET like forms-based authentication, and let WIF act as a proxy in front of your application. WIF uses the authorization settings in web.config (/configuration/system.web/authorization and /configuration/location/system.web/authorization elements) and authenticates the user before the ASP.NET application receives the request. See WS-Federated Authentication Module Overview for details
So, when the application receives the request, the user is already authenticated, which is fine. However, there are times when the application needs to know who the user is, or getting access to the other claims that were provided from the identity service. Luckily, this is available on the HTTP context. Say, for instance, if you wish to find the email address of the logged-in user, you can do it like so:
protected void Page_Load(object sender, EventArgs e)
{
var claimsIdentity = Context.User.Identity as IClaimsIdentity;
foreach (var claim in claimsIdentity.Claims)
{
if (claim.ClaimType == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress")
{
var email = claim.Value;
}
}
}If the user was authenticated using claims, Context.User.Identity will be an IClaimsIdentity which will contain a number of claims about the user. We can then iterate over these claims to find the one that we want.
The claim types are denoted using XML namespaces, which are a little bit cumbersome to work with. So, to make it easier to access, we iterate over the list of claims, and make all the claims available on a common object:
public static class IdentityExtension
{
public static DynamicUser GetUserFromClaims(this HttpContext context)
{
var claimsIdentity = context.User.Identity as IClaimsIdentity;
if (claimsIdentity == null) throw new FailedAuthenticationFaultException();
return new DynamicUser(claimsIdentity.Claims);
}
}
public class DynamicUser : DynamicObject
{
private readonly ClaimCollection _claims;
public DynamicUser(ClaimCollection claims)
{
_claims = claims;
Id = ClaimsValue("nameidentifier")[0];
}
public string Id { get; private set; }
public bool IsInRole(string role)
{
return ClaimsValue("role").Any(c => c.Equals(role, StringComparison.OrdinalIgnoreCase));
}
private string[] ClaimsValue(string claimSuffix)
{
return _claims.Where(c => c.ClaimType.EndsWith(claimSuffix)).Select(c => c.Value).ToArray();
}
public override bool TryGetMember(GetMemberBinder binder, out object result)
{
var claimValue = ClaimsValue(binder.Name.ToLowerInvariant());
if (claimValue.Length == 0)
{
return base.TryGetMember(binder, out result);
}
if (claimValue.Length == 1)
{
result = claimValue[0];
}
else
{
result = claimValue;
}
return true;
}
}Then, we can access the claim values using a prefix of the actual XML namespace of the claim type:
protected void Page_Load(object sender, EventArgs e)
{
var user = Context.GetUserFromClaims();
var id = user.Id;
var username = user.Name; // "John Doe"
}When hooking up the application to Windows Azure AppFabric Access Control Service (ACS), which claims that the application will receive depends on your rule group configuration. Here are some examples:
| Claim type | Shorthand | Example value |
|---|---|---|
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier | user.Id |
NHsTR1UXFI9xYk1xIRUNfucZ4/a5OWiILHlNyNEXozP= |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name | user.Name |
John Doe |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | user.Emailaddress |
john.doe@hotmail.com |
If you set up role claim rules in ACS, you can even get information about the user’s roles so that you can do authorization in the code:
protected void Page_Load(object sender, EventArgs e)
{
var user = Context.GetUserFromClaims();
var isAdmin = user.IsInRole("administrator"):
}