I am using Windows Identity Foundation with Azure's AppFabric Access Control Service in a MVC3 site. What I am trying to figure out is how to control where WIF redirects the user if I have an AuthorizeAttribute on a controller or action. (This is my first time working with WIF and there doesn't seem to be a lot of good information available.)
I have disabled auto-forwarding because it kept sending me to the default ACS authentication page. I want to keep users on my site using my custom login page, but I cannot seem to figure out what settings need to be tickled to do this.
Is there a way, natively with WIF, to tell it to redirect to my login page or am I going to have to write my own AuthorizeAttribute to do this for me?
Thanks!
Edit:
Since there has been some activity on this lately, I figured I would write out some of my findings. Unfortunately, I am not 100% what caused everything to work properly (so many moving parts) but I did finally get WIF to redirect to my login page.
I did this without adding any code to the program and, instead, deviated a little from the examples I found. I found that keeping the forms authentication portion of web.config allowed everything to work. In my web.config I have the normal forms auth entry:
<system.web>
<httpRuntime requestValidationMode="2.0" />
<authentication mode="Forms" >
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
...
</system.web>
Disclaimer: I do not know if this is the right way to do things with WIF--it just happens to solve my problem. I can use the regular [Authorize] attribute on controllers or actions and I get proper redirects to the login page as if I was using forms authentication.
I've played a little bit more with a sample and depending on what you need to do before redirecting, it might or ight not help.
In the global.asax, I've added a handler to the "RedirectingToIdentityProvider" event and I customized it to add say, the whr parameter. To do this, you need to first add a handler to the ConfigurationCreated event:
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
RegisterRoutes(RouteTable.Routes);
FederatedAuthentication.ServiceConfigurationCreated += new EventHandler<Microsoft.IdentityModel.Web.Configuration.ServiceConfigurationCreatedEventArgs>(FederatedAuthentication_ServiceConfigurationCreated);
}
void FederatedAuthentication_ServiceConfigurationCreated(object sender, Microsoft.IdentityModel.Web.Configuration.ServiceConfigurationCreatedEventArgs e)
{
var m = FederatedAuthentication.WSFederationAuthenticationModule;
m.RedirectingToIdentityProvider += new EventHandler<RedirectingToIdentityProviderEventArgs>(m_RedirectingToIdentityProvider);
}
void m_RedirectingToIdentityProvider(object sender, RedirectingToIdentityProviderEventArgs e)
{
var sim = e.SignInRequestMessage;
sim.HomeRealm = "Google";
}
This works with the standard Authorize attribute.
If this extensibility point is not enough, then you can write our own attribute to have full control of the process.
Look at sample #3 or #7. Not MVC3, but on MVC2 and very close to what you are doing. http://claimsid.codeplex.com
The process is described here: