Windows Identity Foundation (WIF) & Azure AppFabric Access Control Service (ACS) v2 - Mapping User to ASP.NET Profile In Claims Aware Applications

I have captured quick steps for creating Claims Aware ASP.NET Web Site that utilize ASP.NET Profile feature.

• Open VS 2010 in elevated mode as Administrator. Needed for WIF integration.
• File-> New -> Web Site. Give it a name, https://localhost/ClaimsMappedToProfile.
• Configure IIS to load user profile.
  • Open IIS Manager.
  • Find out what AppPool your application is using by selecting your App, right-click on it, and Select Manage Application -> Advanced Settings.
  • On the top left hand side, select Applications Pools, and go ahead and select the App Pool used by your app.
  • Right-click on it, and select Advanced Settings, Go to the Process Model Section and Find the "Load User Profile" Option and set it to true.
  • This should mitigate the exception: "The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating."
• Click on Website, and then on ASP.NET Configuration on the menu.
• IE should open ASP.NET Web Site Administration Tool.
• Click on provider tab.
• Click on Select a single provider for all site management data link
• Click on test link next to AspNetSqlProvider. You should see Successfully established a connection to the database message. Click Ok to discard it.
• Add the following entries to the web.config.

<profile enabled="true" defaultProvider="AspNetSqlProfileProvider">
       <providers>
             <clear/>
             <add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/"/>
       </providers>
       <properties>
             <add name="PostalCode" type="System.String"/>
       </properties>
</profile>

• Add Textbox, Button, and Label controls to the Default.aspx page.
• Add the following code to the page’s code behind:

string user = string.Empty;
protected void Page_Load(object sender, EventArgs e)
{
    user = User.Identity.Name;
}
protected void Button1_Click(object sender, EventArgs e)
{
    Profile.PostalCode = Server.HtmlEncode(TextBox1.Text);
}
protected override void OnPreRender(EventArgs e)
{
    base.OnPreRender(e);
    Label1.Text = Profile.PostalCode + " " + user;
}

• Go to ACS and get WS-Federation metadata URL.
• In Visual Studio 2010 Run FedUtil by right clicking on the project and choosing  Add STS reference…
• Provide the WS-Federation metadata URL obtained from ACS management portal.
• Test your work by running the application and getting authenticated by different IdP’s
• NOTE: if you have the same name on different IdP’s – you will get the same profile data for both. If you store sensitive data in the ASP.NET profile it might introduce a security breach.

Related Books

• Programming Windows Identity Foundation (Dev - Pro)
• A Guide to Claims-Based Identity and Access Control (Patterns & Practices) – free online version
• Developing More-Secure Microsoft ASP.NET 2.0 Applications (Pro Developer)
• Ultra-Fast ASP.NET: Build Ultra-Fast and Ultra-Scalable web sites using ASP.NET and SQL Server
• Advanced .NET Debugging
• Debugging Microsoft .NET 2.0 Applications

Related Info

• Windows Identity Foundation (WIF) and Azure AppFabric Access Control (ACS) Service Survival Guide
• Windows Identity Foundation (WIF) Fast Track
• Windows Identity Foundation (WIF) Code Samples
• Windows Identity Foundation (WIF) SDK Help Overhaul