New docs for WS-Federation auth

[Tratcher]

1. Write a short paragraph describing what the topic will cover.
   WsFederation is a new authentication handler that has been ported from Microsoft.Owin / ASP.NET 4.5. It is being released out of band against ASP.NET Core 2.0.0 dependencies. See [Announcement] WsFederation 2.0.0-preview1 out of band release aspnet/Security#1473.

2. Write an outline of the proposed topic contents.
   There should be a walk through similar to these: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/

3. Where would you put the topic in the Table of Contents.
   https://docs.microsoft.com/en-us/aspnet/core/security/authentication/

[KoalaBear84]

Has this any relation to SAML 2.0? That's what I'm currently waiting for to be able to use .NET Core 2.0. Thanks!

[Tratcher]

Like these? They're included.
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/master/src/System.IdentityModel.Tokens.Saml/Saml2SecurityTokenHandler.cs

[KoalaBear84]

Thanks, I will look into it! :)

[Rick-Anderson]

@scottaddie can you schedule this in the next 3 sprints?

[scottaddie]

@Rick-Anderson No problem. I should have the bandwidth to tackle this in Sprint 129.

[chlowell]

@scottaddie any update on timing and content for this? I hear lots of customer interest around authenticating with ADFS, it would be great to have a doc covering how to do that with this middleware.

[scottaddie]

@chlowell As discussed via email, we're happy to accept any content from you on this topic to expedite things. Let us know if you're interested.

[Tratcher]

FYI: the out of band 2.0.0 component has been released. Expect more interest in this topic.

[chlowell]

@scottaddie I'm interested--I'll get started on a short tutorial, probably highlighting ADFS because AAD scenarios are already documented.

@Tratcher These are the important differences vs. the OWIN middleware I'm aware of:

• by default, all form posts are no longer checked for sign-in messages
• allowing unsolicited logins is now opt-in
• encrypted tokens are not (yet) supported

Do you think anything else is worth calling out in the doc?

[Tratcher]

@chlowell that sounds like a good start. See the writeup at aspnet/Security#1473. Specifically mention the CallbackPath and it's default value /signin-wsfed. Also discourage the use of the Wreply Property, CallbackPath is better in most cases.

Note single-signout support has also been added.