Search code examples
asp.net-mvcsharepointadfsfederated-identity

Federated authentication from ASP.NET MVC to SharePoint

The scenario:

  • Our current stack is a SharePoint 2013 web application
  • Users log in to the SP2013 using ADFS claim-based federated authentication: When users click "Log In" in the SP site, they are redirected via ADFS to the identity provider that authenticates the user and using SPs built in support for federated authentication we get a SAML token that is stored in SharePoints Secure Token service. The user's browser get a FedAuth cookie that (if I understand correctly) refer to the token stored in SharePoint.
  • We want to gradually migrate away from SP to a ASP.NET MVC-based stack
  • The key here is gradually migration: We want to migrate pages and REST services from SP to a new system piece by piece.

For instance, URL /thisurl/ should be handled by the legacy SP application, and /migratedurl/ should be handled by the new ASP.NET MVC application.

I have the following questions/issues:

  • Question 1: How do we handle authentication in the new setup? I imagine the authentication (i.e. handling the user clicking the "Login" link, redirecting to ADFS -> identity provider) will still be handled by the legacy SP site. In this scenario, how can the new ASP.NET MVC application access the claims for the authenticated user?
  • Question 2: What is the best way to deploy this? Should the new ASP.NET MVC application be a IIS web app under the SharePoint web site? Or should it be a new IIS web site? Keep in mind that ASP.NET MVC app needs to do AJAX calls to the SP site and vice versa.

My understanding of SharePoint, federated identity, ADFS etc. is at best limited, so my description of our system might be lacking, there might be things that I misunderstand, there might be terminology that I don't get right etc. Please let me know if there are changes I can make to the question to make it clearer.

Solution

  • What you have in ADFS terms is two separate Relying Party (RP) viz. the SP site and the new MVC application.

    ADFS applies SSO across them.

    Your new app. will be claims-based i.e. you need to add WS-Fed functionality via WIF (older) or OWIN (new and shiny).

    Refer: Use the OWIN Security Components in ASP.NET to Implement Web Sign On with ADFS for a good OWIN / ADFS example.

    So what happens is that a user logs in to SP. They now have both SP and ADFS sets of cookies. They now log in to the MVC app. They have no app. cookies so they are redirected to ADFS. ADFS / OWIN sees they have ADFS cookies so creates app. cookies and the user is seamlessly signed in.

    The cleanest deployment method would be to make the app. a new IIS web site.

    This has two advantages:

    • No dependencies on SP
    • Very easy to migrate to Azure in the future (just needs some web.config changes)