I have successfully integrated SSO with WIF on my two Web Domain. Now I have a requirement that some users sign on using SSO and other users do not use SSO. How I can achieve this thing?
I would appreciate your help,
Thanks
Shahram Javed
Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials.
Check Integrated Windows Authentication settings Log into the client machine where the issue is happening. Under Advanced, check the state of Enable Integrated Windows Authentication. Ensure that the option is enabled or checked. Go to Local Intranet > Sites > Advanced, check that the AD FS URL is listed.
Single sign-on (SSO) is an important cloud security technology that reduces all user application logins to one login for greater security and convenience.
AWS Client VPN can leverage AWS SSO to both authenticate users and authorize them to use one or more segments of the network.
Your question is a little vague so maybe this is not the correct answer. Let me relate our story (which Eugenio helped with) with the hopes it helps the OP or someone else. I'm interpreting "not for other user" as that some users do not use SSO: presumably they use forms authentication or something different.
We use WIF for SSO in a web application that also supports a wif-implemented version of forms authentication.
If someone comes to the Sign In page and provides a user name and password, we use WIF to set a self-issued ClaimsPrincipal. Essentially, the website is providing claims to itself. FederatedAuthentication is used in the same way that FormsAuthentication normally is: set a cookie using a static method on FederatedAuthentication. Bit different, but basically the same principal.
var token = FederatedAuthentication.SessionAuthenticationModule
.CreateSessionSecurityToken(claimsPrincipal, "MyApp.Token",
DateTime.UtcNow, DateTime.UtcNow.AddDays(7), false);
FederatedAuthentication.SessionAuthenticationModule
.AuthenticateSessionSecurityToken(token, true);
Our web app uses a single trusted provider (an ADFS server that negotiates with N federated partners). We need a custom way to decide whether to to redirect unauthenticated users to the Sign In page or to ADFS for SSO users. We disable passive redirect so WIF doesn't automatically send people to ADFS.
<wsFederation passiveRedirectEnabled="false"
issuer="https://adfs.ourplace.com/adfs/ls/"
realm="http://www.ourplace.com" .../>
From here we use an authentication attribute (we use ASP.NET MVC but whatever is appropriate for you).
public class MyAuthorizeAttribute : FilterAttribute, IAuthorizationFilter
{
public void OnAuthorization(AuthorizationContext filterContext)
{
if (filterContext.HttpContext.User.Identity.IsAuthenticated)
return; // all good
RedirectTo(IsSSO() ? GetADFSUrl() : GetSignInUrl();
}
}
To decide whether the user is an SSO user or not when they are unauthenticated is the Home Realm Discovery problem. Different people solve it differently. For us, when an SSO user first connects to the system using SSO we lay down a persistent cookie with their home realm (which is the Claims Provider Identifier in ADFS). If the cookie is absent, they go to Sign In. If the cookie is present, they get redirected to ADFS. The URL is:
var adfsEntryPoint = FederatedAuthentication.WSFederationAuthenticationModule.Issuer;
var wtRealm = FederatedAuthentication.WSFederationAuthenticationModule.Realm;
var whr = <from home realm cookie>
var redirectUrl = string.Format("{0}?wa=wsignin1.0&wtrealm={1}&whr={2}",
adfsEntryPoint,
HttpContext.Server.UrlEncode(wtRealm),
HttpContext.Server.UrlEncode(whr));
If you redirect directly to N federated partners, maybe store the token renewal URL in the cookie.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With