Search code examples
securitywifgeneva-frameworkwindows-identity

How can I generate a SAML Security Token within the same application that consumes it?


I've been configuring some of my applications to use the Windows Identity Foundation. I use the passive redirection to get security tokens from a Security Token Service. I accomplished this by inserting WIF code into a logon web site that existed before I started using WIF and then using the "Add STS Reference" within the applications.

However, I have one application that does not use the logon web site. I think that what I would like to do is generate the security token within the application itself without redirecting the user to an external STS.

I tried unsuccessfully to accomplish this by using the ClaimsAuthenticationManager class which can be used to add additional claims to a security token received from an external STS. However, ClaimsAuthenticationManager doesn't work in this context. Instead of calling ClaimsAuthenticationManager only a single time per session ( the expected and desired result ), it gets called on every page load with no sign of the claims that I assigned to the user on the previous page load.

I'm looking at creating an external STS that will give the user the claims from a database, but I see this as being a hazard. There seems to be no reason that I must create a whole separate STS for only a single web site. I would like to just generate the security token within my application.


Solution

  • It is possible to put the Security Token Service class within your own application.

    However, in order for the user to be able to access a log-in page in your application before they've obtained the token, you must remove the deny users=? from the Authorization section of web.config. This will allow users to hit your web page with no security token. Once they log in, redirect them to the appropriate page.

    This has the disadvantage of not being able to use the convenient passive redirect functionality, but it does work. That means that you must manually redirect users to the log-in page when they try to do something that requires them to be logged in.