Claims Identity Guide samples updated
I’ve just uploaded to CodePlex updated samples for the Claims based Identity Guide. This have all been adapted to work on Visual Studio 2010, .NET 4.0 and MVC 2.0. See here for downloading the bits.
From the release notes:
Required configuration changes for IIS, DevFabric and Windows Azure
Both solutions 1-SingleSignOn and 5-WindowsAzure involve the a-expense.ClaimsAware project.
This solution is configured by default to run hosted in IIS, but the solution 5-WindowsAzure will run in a different environment (DevFabric and Windows Azure).
Please find the notes about the required required in the microsoft.identityModel section of the web.config of the a-expense.ClaimsAware project.
Cookies encrypted using RSA
As mentioned in the guide, the federation cookies are now encrypted using an RSA algorithm as we recommend in the guide. This change enables the involved sites to support web farm scenarios. This involves the following changed lines from the previous release:
In global.asax.cs
protected void Application_Start()
{
FederatedAuthentication.ServiceConfigurationCreated += this.OnServiceConfigurationCreated;
...
}
private void OnServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e)
{
List<CookieTransform> sessionTransforms =
new List<CookieTransform>(
new CookieTransform[]
{
new DeflateCookieTransform(),
new RsaEncryptionCookieTransform(e.ServiceConfiguration.ServiceCertificate),
new RsaSignatureCookieTransform(e.ServiceConfiguration.ServiceCertificate)
});
SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);
}
These are exactly the same settings we use in the Windows Azure Architecture Guide.
In web.config:
<configuration>
...
<microsoft.identityModel>
...
<service>
...
<serviceCertificate>
<certificateReference x509FindType="FindBySubjectDistinguishedName" findValue="CN=localhost"/>
</serviceCertificate>
</service>
</microsoft.identityModel>
</configuration>
Request validation in ASP.NET 4
ASP.NET by default validates all the POSTs done to the web application. This validation checks that the input is not dangerous. By default, an XML document that is not encoded is considered dangerous by ASP.NET. A token is normally submitted to the site as an XML document that is not encoded. To avoid getting an exception when the token is posted, you will add a class that will check if the input is indeed a security token. If it is it will return true and will let the request continue. If not, it will throw the regular "A potentially dangerous Request.Form value was detected..." exception.
The class WsFederationRequestValidator has been added for this purpose and it is enabled through the following web.config line:
<system.web>
<httpRuntime requestValidationType="WsFederationRequestValidator" />
</system.web>