How to authenticate with the Belgian eID card in ASP.NET MVC
This blog post walks you through the process of creating an ASP.NET MVC application that authenticates and displays some useful information available on your Belgian eID card.
In order to authenticate, we will use an existing STS endpoint: https://www.e-contract.be/eid-idp/endpoints/ws-federation/metadata/auth-ident-metadata.xml, from which we will retrieve a set of claims.
[Update]
If you haven't done so far, please install the Windows Identity Foundation SDK (WIF). This add the "Add STS Reference" in Visual Studio.
- Open Visual Studio 2010 and create a new ASP.NET MVC 3 Web Application. Select the .NET Framework 4.
- Choose the Internet Application template, and select the Razor engine.
- Run the application by pressing F5. Notice the URL (in my case I use the ASP.NET Development Server, using port 25935)
- Close the application and return to Visual Studio
- Right click the project and choose Add STS Reference.
- In the Application URI, enter the following address: https://localhost:25935 (change the port number)
- Click Next.
- Select Use an existing STS and enter the following address: https://www.e-contract.be/eid-idp/endpoints/ws-federation/metadata/auth-ident-metadata.xml
- Click Next.
- Click Next.
Note: here you should be able to see all the claim types offered by the e-contract endpoint - Click Finish.
When you now hit F5 to run the application again, you will see that the browser redirects you to an external site:
Enter your PIN code (make sure you know this)
After you are authenticated, the values from your Belgian eID card are read out.
Next, you will be transferred again to you ASP.NET MVC Application, but it will return a Server Error:
This happens because the claims are send in <xml> format to the web application. ASP.NET doesn't allow it because this may be an attempt to compromise the security.
The safest way to validate the request while still preserving security, is to introduce a custom RequestValidator. To create custom request validation, you write a custom class that derives from the RequestValidator base class. You then configure ASP.NET to use the custom request validator in the application-level Web.config file.
- Create a custom class and name it SampleRequestValidator.
- Add a reference to Microsoft.IdentityModel. (location: C:\Program Files\Reference Assemblies\Microsoft\Windows Identity Foundation\v3.5\Microsoft.IdentityModel.dll)
using System;
using System.Web;
using System.Web.Util;
using Microsoft.IdentityModel.Protocols.WSFederation;
/// <summary>
/// This SampleRequestValidator validates the wresult parameter of the
/// WS-Federation passive protocol by checking for a SignInResponse message
/// in the form post. The SignInResponse message contents are verified later by
/// the WSFederationPassiveAuthenticationModule or the WIF signin controls.
/// </summary>
public class SampleRequestValidator : RequestValidator
{
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
validationFailureIndex = 0;
if (requestValidationSource == RequestValidationSource.Form && collectionKey.Equals(WSFederationConstants.Parameters.Result, StringComparison.Ordinal))
{
var message = WSFederationMessage.CreateFromFormPost(context.Request) as SignInResponseMessage;
if (message != null)
{
return true;
}
}
return base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
}
}
- Open the web.config file, and put the following setting directly below the <system.web> section:
<system.web>
<httpRuntime requestValidationType="SampleRequestValidator" />
…
</system.web>
- Run the application again. After you have been authenticated, you should already see a different behavior: you name will be displayed in the header section:
- To display all the claim information that is sent to us, open the HomeController and return a view with all the claims:
public ActionResult Index()
{
ViewBag.Message = "Welcome to ASP.NET MVC!";
var claimsIndentity = User.Identity as ClaimsIdentity;
return View(claimsIndentity.Claims);
}
- Open the Index.cshtml view
- Add the @model directive at the top of the file:
@model IEnumerable<Microsoft.IdentityModel.Claims.Claim>
- Create a table and loop through all the available claims:
<table>
@foreach (var item in Model)
{
<tr>
<td>
@Html.DisplayFor(modelItem => item.ClaimType)
</td>
<td>
@Html.DisplayFor(modelItem => item.Issuer)
</td>
<td>
@Html.DisplayFor(modelItem => item.Value)
</td>
</tr>
}
</table>
- Run you application again, authenticate and verify the results
Comments
Anonymous
January 22, 2012
Are there any other STS providers that we can use for the e-id (belgium) ?Anonymous
January 22, 2012
Here's the list of end points, provided by Frank Cornelis www.e-contract.be/.../main.seam. I'm not aware of any other STS providers...Anonymous
January 22, 2012
Looks a lot like this post: fabriccontroller.net/.../the-belgian-eid-in-windows-azure-part-1-authentication-and-identificationAnonymous
June 28, 2012
There is noticeably a bundle to know about this. I assume you made certain nice points in features also. http://arthurhughes.beep.com/