[Announcement] WsFederation 2.0.0-preview1 out of band release #1473
Comments
|
Wonderful....! Yay...! |
|
Hi,
This is my metadata file Anyone can help me? |
|
I've got the same issue like @gtresoldi with an ADFS on Windows Server 2012 R2
Should we file a seperate issue for this problem or is there any other solution? Thanks & best regards, |
|
@gtresoldi @Compufreak345 I've filed AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#786 for your parser issue. |
|
@Tratcher FYI. same parser issue as above. |
|
Great news :) |
|
@Tratcher Looks like I am getting the same parser issue too. |
|
Any timeline for wsignoutcleanup1.0 support? |
|
@Tratcher Kinda, when our single signon provider wants to sign out all the sub applications each application gets a SignoutCleanup action For now im doing something like this inside the WsFederationHandler HandleRemoteAuthenticateAsync // Handle SignoutCleanup
if (Request.Query.TryGetValue("wa", out var wa))
{
if (wa == WsFederationConstants.WsFederationActions.SignOutCleanup)
{
await _authenticationService.SignOutAsync(Request.HttpContext, Options.SignInScheme, null);
return HandleRequestResult.Handle();
}
}You could do something similar with middleware etc, but we already have a custom WsFederation fork to support dotnetcore. (soon as all features are met we can remove our custom proj) |
|
Is there any guidance on how we could share FedAuth cookies between existing ASP.NET full framework applications and ASP.NET Core apps? As far as I can see this just enables an ASP.NET Core application to authenticate against a WSFed STS. We are looking for a way to re-use existing FedAuth cookies so that we can move part of our applications to ASP.NET Core without having to rewrite existing code. |
|
@jmezach It depends on what components your ASP.NET apps were using. If it was the Microsoft.Owin WsFederation provider then there is a way to share cookies. |
|
I get this error when I start the application. it is not able to complete the configuration from Federation Metadata. if I enter the metadata url on the browser I am able to see the xml, but only issue I see is that there is a certificate error, which I override on the browser. would that be an issue causing this? my config:
----------------------Errors----------------------------- |
|
@arc2018 yes https cert errors are expected to fail the metadata download. However, that's a strange inner exception. I've ask @brentschmaltz about it on your other thread: To ignore cert errors you need to hook into the backchannel like this: |
|
@Tratcher thank you for your response. `
|
|
Please reopen you AzureAd bug then. They can investigate the exception. |
|
@Tratcher thank you. I reopened it. |
|
I'm getting a similar issue as @arc2018. Is it possible to bypass the metadata XML file retrieval and configure this thing manually? |
|
Yes you can set the options.Configuration property, but building it by hand is non trivial. If you manage please share a sample. |
|
@Tratcher @lzandman // Created our own custom WsFederationSettings dto
public class WsFederationSettings
{
public string Issuer { get; set; }
public string TokenEndpoint { get; set; }
public IEnumerable<string> SigningKeys { get; set; }
public string Realm { get; set; }
}
// Load from section "WsFederation" in our appsettings.json file
var settings = Configuration.GetSection("WsFederation").Get<WsFederationSettings>();
var config = new WsFederationConfiguration
{
Issuer = settings.Issuer,
TokenEndpoint = settings.TokenEndpoint,
};
foreach (var signKey in settings.SigningKeys)
{
var cert = new X509Certificate2(Convert.FromBase64String(signKey));
var key = new X509SecurityKey(cert);
config.SigningKeys.Add(key);
}
o.Configuration = config;
o.Wtrealm = settings.Realm;
o.TokenValidationParameters = new TokenValidationParameters
{
ValidAudience = settings.Realm
};
///rest of your options |
|
I'm new to ADFS, I'm trying to configure my application using the WsFederation 2.0.0-preview2. The same ADFS config works with ASP.NET web app using WIF Could someone please share a complete working example using WsFederation 2.0.0-preview2. Its a .Net Core SPA, All I wanted to do is to allow users with valid token, its very simple application and there's no sign out page. |
|
Sorry.. I didn't use |
|
SignOutWreply works but may be confusing when it defaults to Wreply, which defaults to CallbackPath. |
|
Thanks @Tratcher that worked a treat for setting the whr value. private static Func<RedirectContext,Task> OnRedirectToIdentityProvider(string whrValue) |
|
https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.WsFederation/2.0.0 is now available. Enjoy 😀 |
|
@Veikedo is there a way to let |
|
@fitzchak I think you don't need it because it should be implemented on the client side. |
|
@Veikedo I have a regular account/login action which should be accessible. I solved this by changing the middleware to authenticate just the static related info, so regular MVC would be authenticated against the existing authentication. |
|
I'm getting the same endless loop bug as @epot, did you ever find a fix? |
|
@mshindal please open a new issue and share your Startup config and a Fiddler trace. |
|
@mshindal no I am still stuck, this prevents me from migrating for the moment |
|
I'm getting stuck in a redirect loop when using the 2.0.3 version of the WsFederation package. Everything works fine loading the site in a normal browser, but we get stuck in the loop when using the site in an IFRAME (unfortunately, I have to do this, long story). Looking at the server, requests are logged with "Authorization failed for user: (null)" |
|
@locutus80 please open a new issue with the details. A fiddler trace, Startup code, etc.. |
|
I'm a little stuck with the Events, the only event that works for me is OnRedirectToIdentityProvider but after a successful login, OnSecurityTokenValidated, OnMessageReceived, OnTicketReceived never gets called. Is there a setting that I am missing or is there a different way to set up the handlers? Here is my set up code. services.AddAuthentication(sharedOptions => Regards, |
|
@ready1 I copied your events code into my sample in dev https://github.com/aspnet/Security/tree/dev/samples/WsFedSample and it worked fine, all the events were hit. I double checked the 2.0 code and I don't think anything has changed since then. Nor should your custom config or TVP settings affect this. I assume you ran it locally under the debugger? |
|
@Tratcher Thank you for your response, I am running locally under debugger but it is not doing what is expected with the callback. Could this problem be caused by the endpoint? How can I pinpoint what causing the callback not to be called? |
|
Do you have UseAuthentication in your Startup.Configure method? In what order? |
|
@Tratcher We have found that the callback only triggers if the replyto ends with '/signin-wsfed' and not '/' |
|
I am stuck with getting auth token for webapi authentication, using wsfed. I need to have both Open Id and WsFed integrated, with same behaviour. Tried with OnSecurityTokenReceived as well as OnTicketReceived events, but not able to get auth code or token for web api authentication. Need above behaviour in one of these places, but not getting where !! I am getting claims in OnTicketRecieved with context.Principal.Identity. Has anyone done this before ? Or can anyone please help ? |
|
@AnshulKhandelwal02 for wsfed, you will receive a token directly. The OnTicketReceived has the details. |
|
@brentschmaltz yes, achieved that with code. |
|
Still the issue I am facing is to get webApi authenticated with bearer token received from web authentication.
I have added permissions of WebAPI on WebAPP in Azure portal, and also vice-versa. Am I missing something here ? Or I am trying to achieve something which is not possible with WsFed ? |
|
We periodically close 'discussion' issues that have not been updated in a long period of time. We apologize if this causes any inconvenience. We ask that if you are still encountering an issue, please log a new issue with updated information and we will investigate. |
and others
WsFederation preview support is now available for ASP.NET Core 2.0.0. The Microsoft.AspNetCore.Authentication.WsFederation 2.0.0-preview1 package is available at https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.WsFederation/. This is a standalone preview that targets netstandard2.0 and should work with existing ASP.NET Core 2.0.0 applications (.NET Core 2.0 or .NET 4.6.1). A non-preview ASP.NET Core 2.0.0 compatible package will follow once we’ve addressed your feedback.
The code is available at https://github.com/aspnet/security/tree/rel/2.0.0-ws-preview1 and issues can be filed at https://github.com/aspnet/security/issues. Please give us a 👍 from the reactions menu on this post if you have successfully used this component and are ready for the final release.
This component is a port from Microsoft.Owin.Security.WsFederation and uses many of the same mechanics. It has also been updated to integrate with ASP.NET Core 2.0’s authentication model. See the samples below.
Aside from updating the usage pattern to match ASP.NET Core, there are also some functional changes to be aware of.
A. This component no longer checks every form post request for sign-in messages by default. Sign-in callbacks are restricted to the "/signin-wsfed" path by default. The CallbackPath can be changed to the application root “/” used by some auth providers if you also enable SkipUnrecognizedRequests to allow sharing that request path with other components.
B. This component no longer allows unsolicited logins by default. That WsFederation protocol feature is susceptible to XSRF attacks. See the AllowUnsolicitedLogins option to opt into that feature if your application requires it.
Samples:
For applications only using WsFederation (similar to using OpenIdConnect):
For applications using WsFederation with Identity:
The text was updated successfully, but these errors were encountered: