Federated authentication Instances
This example enables partner employees to attempt to access resources in other partner domains through a single sign-on. There are three main roles in the federation scheme: identifying providers, declaring providers, and relying parties. WIF will provide an API to build all three roles.
Figure 15-11 illustrates a typical federated authentication scenario. In this scenario, the Fabrikam employee wants to access the contoso.com resource without having to log on again, i.e. using single sign-on.
Figure 15-11 Federated authentication
Fictitious users who participate in this scenario include:
Q Frank: Fabrikam employees who want to access Contoso resources.
Q Daniel: The Contoso application developer who implements the necessary changes in the application.
Q Adam:contoso IT administrator.
The components involved in this scenario include:
Web1: A part ordering Web application, built using ASP.net, to control access to related parts.
Sts1: An STS that acts as the contoso.com provider role in the application, and can emit the declared applications (WEB1) expected. It has established trust with fabrikam.com and is configured to allow access to Fabrikam employees.
STS2: An STS that acts as the identity provider role in fabrikam.com, providing an endpoint for authenticating Fabrikam employees. It has established trust with contoso.com to allow Fabrikam employees access to contoso.com resources.
As shown in Figure 15-4, the process in this scenario is as follows:
1) Contoso Administrator Adam configures the trust between the application (RP) and the sts1.
2) Contoso Administrator Adam configures the trust with the STS2 as the identity provider.
3 Fabrikam Admin Frank configures the trust between the Sts1 that is the provider of the claim, and then accesses the application.
The following is a brief process for implementing federated authentication.
Step 1 sets the declaration provider.
Provides three available options for contoso.com Administrator Adam:
Q Installs STS products, such as ADFS 2.0.
Q Subscribe to cloud STS products such as LiveID Sts.
Q builds a custom STS using WIF.
Options can be selected based on business needs, schedules, availability of technical resources, budget allocations, and so on. For this example scenario, we assume that Adam selects option 1 and installs ADFS 2.0 as rp-sts using the ADFS 2.0 product documentation.
Step 2 installs wif.
Add the code shown in listing 15-3 to enumerate the declarations.
Code listing 15-3 Enumeration declarations
Get the access to iclaimsidentityiclaimsidentity claimsidentity = ((Iclaimsprincipal) Thread.CurrentPrincipal). Identities[0];
foreach (Claim Claim in claimsidentity.claims) {//before using the claims validate, this is a expected Claim.// If It isn't in the expected claims list then ignore the claim. if (Expectedclaims.contains (claim). ClaimType)) {//Write out the claim or with the claim as needed by application logic Writeclaim (claim, table);}
Step 3 establishes trust from trust-side applications to Sts.
Daniel uses the Federation utility tool to build trust from RP applications to Sts. The tool also generates metadata for the RP application and puts the XML file (metadata.xml) in the folder of the RP application. Information about STS (STS1) in the RP application Web.config file is automatically updated.
Step 4 Configures the trust-side application at the declaration provider.
Adam builds trust with RP applications by referencing the ADFS 2.0 product documentation.
Step 5 Configure the Identity provider (IP) at Fabrikam.
Provides three available options for fabrikam.com Administrator Frank:
Q Purchase and install STS products, such as ADFS 2.0.
Q Subscribe to cloud STS products such as LiveID Sts.
Q builds a custom STS using WIF.
For this example scenario, assume that Frank selects option 1 and installs ADFS 2.0 as ip-sts. Frank also establishes trust with the contoso.com as the provider of the declaration by referencing the ADFS 2.0 product documentation.
Step 6 access the Web application.
Frank is logged on to the Fabrikam system as a Fabrikam domain user. He then opens the browser and accesses the Contoso.com RP application page. Because a federated authentication Trust has been established between Fabrikam and Contoso, Frank now accesses Contoso's resources without having to authenticate again.
The steps above are not complete and hopefully the reader will have a complete understanding of the joint authentication from the scenario and conceptually
--------------------------Note: This part of the text is adapted from the ". NET Security Secrets"
Author: Hyun-Soul
Source: http://www.cnblogs.com/xuanhun/
See more highlights of this column: http://www.bianceng.cnhttp://www.bianceng.cn/Programming/net/