Search code examples
asp.netwebformsowinws-federationadfs3.0

ASP.NET Web Forms Site - integration with multiple ADFS using OWIN KATANA

I'm configuring an old existing web forms site as a multi-tenant environment. One requirement is to be able to integrate with multiple client ADFS. I have followed this post and have successfully implemented an MVC application supporting multiple ADFS. However I still face an issue, that is not reproducible with the MVC app. In my web forms site, only the first ADFS provider registered succeeds. The second one always throws SignatureVerificationFailedException after authenticating and returning back to my site (the exception happens at my side). This is no matter whether I use app.Map(...) or app.Use(...) in the OWIN startup configuration.
I tried converting my web site to web application, but same result. I guess it is something connected with the way requests are handled in WEB FORMS, which is different than MVC.

Should I handle the middleware mapping in some different way?
What am I missing?
Or this is not possible at all?...

Here is my OWIN startup configuration:

app.Properties["Microsoft.Owin.Security.Constants.DefaultSignInAsAuthenticationType"] = Config.ExternalAuthentication.Cookie;
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = Config.ExternalAuthentication.Cookie,
    AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive
});

string wreply = Config.ExternalAuthentication.Wreply;
string wtrealm = Config.ExternalAuthentication.Wtrealm;

List<Company> adfsCompanies = BL.GetCompaniesWithADFS();
app.Map("/Public/Login.aspx", configuration =>
{
    foreach (Company company in adfsCompanies)
    {
        //configure middleware
        var middleware = new WsFederationAuthenticationOptions()
        {
            MetadataAddress = company.ADFSMetadataUrl,
            AuthenticationType = company.TenantName,
            Caption = company.Name,
            Wreply = wreply,
            Wtrealm = wtrealm,
            BackchannelCertificateValidator = null
        };      

        //add to pipeline
        configuration.UseWsFederationAuthentication(middleware);
    }
});

Here is my challenge request:

context.GetOwinContext().Authentication.Challenge(
    new AuthenticationProperties { RedirectUri = callbackUrl },
    provider);
response.StatusCode = 401;
response.End();

No matter what I do, only the first registered ADFS middleware succeeds, no matter which one. I also tried attaching the middlewares to different pipeline stages with no success.

Thanks in advance for any help!

Solution

  • For multiple wsfed middleware each should set a unique WsFederationAuthenticationOptions.CallbackPath, e.g. "/ws1". You'll also need to include this value in the wreply.