I don't have much understating how make existing old ASP.NET MVC 4 app(claim-based auth, windows identity foundation, ws-federation, old thinktecture identity server) to use new Identity Server 4 with WS-Federation plugin. Does it require to substitute WIF's Authentication and Session modules with OWIN middleware as stated here or use both?

Here's configs from web.config:

        <httpModules>
      <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    </httpModules>
...
<microsoft.identityModel>
    <service>
      <audienceUris>
        <add value="https://localhost/" />
      </audienceUris>
      <federatedAuthentication>
        <wsFederation passiveRedirectEnabled="true" issuer="https://localhost/LoginEndpoint/issue/wsfed" realm="https://localhost/" requireHttps="false" />
        <cookieHandler requireSsl="true" hideFromScript="true" />
      </federatedAuthentication>
      <applicationService>
        <claimTypeRequired>
          <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
          <claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
        </claimTypeRequired>
      </applicationService>
      <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <trustedIssuers>
          <add thumbprint="XXXXXXXXXXXX" name="https://localhost/LoginEndpoint/" />
        </trustedIssuers>
      </issuerNameRegistry>
      <certificateValidation certificateValidationMode="None" />
      <serviceCertificate>
        <!--Needed for cookie encyption in web-farm environment. -->
        <certificateReference x509FindType="FindByThumbprint" findValue="XXXXXXXXXXXXXXXXX" />
      </serviceCertificate>
    </service>
  </microsoft.identityModel>

Any help will be appreciated! Even suggestions if there are better frameworks or approaches for modern SSO solutions that can be used with old ASP.NET MVC 4 clients.

1 Answers

1
nzpcmad On Best Solutions

On the client side, you can use the OWIN stack.

Note this is .NET Core but the principles are the same.

You can still use WIF if you want to. You just need to change the IDP URL and wtrealm parameters.

On the server side you need the Rock Solid Knowledge WS-Fed plugin.

Follow this approach.

The other way is to change to OpenID Connect that idsrv4 supports out of the box.

There's a good walk-through here.