Dec 5, 2010

A custom STS in .NET, Part 3: Passively cool(ed?)

You should now have a basic web app project with some default files pasted in — wait, you did follow along in the first post, right? Do you know where you are?

In the Default.aspx.cs code-behind file we copied over should be some really basic code in a PreRender event handler method for capturing and responding to WSFed actions. Whatever it has now, you'll want to modify it slightly (or entirely) to look more like the following:

protected void Page_PreRender(object sender, EventArgs e)
{
string action = Request.QueryString[WSFederationConstants.Parameters.Action];

try
{
if (action == WSFederationConstants.Actions.SignIn)
{
// Process signin request.
SignInRequestMessage requestMessage = (SignInRequestMessage)WSFederationMessage.CreateFromUri(Request.Url);
if (User != null && User.Identity != null && User.Identity.IsAuthenticated)
{
SecurityTokenService sts = new CustomSecurityTokenService(CustomSecurityTokenServiceConfiguration.Current);
SignInResponseMessage responseMessage = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(requestMessage, User, sts);
FederatedPassiveSecurityTokenServiceOperations.ProcessSignInResponse(responseMessage, Response);
}
else
{
throw new UnauthorizedAccessException();
}
}
else if (action == WSFederationConstants.Actions.SignOut)
{
// Process signout request.
SignOutRequestMessage requestMessage = (SignOutRequestMessage)WSFederationMessage.CreateFromUri(Request.Url);
FederatedPassiveSecurityTokenServiceOperations.ProcessSignOutRequest(requestMessage, User, requestMessage.Reply, Response);
}
else if (!String.IsNullOrEmpty(action))
{
throw new InvalidOperationException(
String.Format(CultureInfo.InvariantCulture,
"The action '{0}' (Request.QueryString['{1}']) is unexpected. Expected actions are: '{2}' or '{3}'.",
action,
WSFederationConstants.Parameters.Action,
WSFederationConstants.Actions.SignIn,
WSFederationConstants.Actions.SignOut));
}
}
catch (Exception exception)
{
throw new Exception("An unexpected error occurred when processing the request. See inner exception for details.", exception);
}
}


Nothing too fancy, as it is mostly stolen from the WIF examples. If you were allowing external users or some other means of authenticating then you could forward to a login page or something in the SignIn if block. Since we're relying on Windows and a domain to manage authentication, we'll assume it has already been handled, hence the check to IsAuthenticated.



The CustomSecurityTokenService and CustomSecurityTokenServiceConfiguration classes should have come from the code we copied over before. We'll be modifying them in a later step.  For now they are mostly boiler plate with some hard-coded values which is fine at the moment since we're focusing on getting it to respond to passive requests first.



If it compiles and you run it, not much will happen. We need another web site to test it with, really! You can use an existing one if you like or create a simple one from scratch. Personally I prefer to use the Fabrikam Airlines sample. This is provided with the source to the SecurityTokenVisualizer control, which is something you really should get for testing anyway. You can easily modify the sample web site to point to your new STS Web app and quickly see what kind of token (or error if it blows up) you get back with the visualizer.



This is where things can get tricky, as you'll need to run both simultaneously. I find it is sometimes easier to host the STS with your local IIS rather than have them all running under the built-in ASP.NET web server. This also gives you better control over authentication settings (anonymous, integrated, etc.).



Provided you’ve ironed out the kinks, got it compiled and running, you should be able to see the forwarding happening and the simple token it creates. Viola! Of course, right now it’s no more useful than the basic STS generated by the FedUtil…

No comments:

Post a Comment