4

We have a lot of domains running on one IIS WebSite/AppPool. Right now we are in the process of implementing SSO with Windows Identity Foundation.

in web.config the realm has to be set with

<wsFederation passiveRedirectEnabled="true" issuer="http://issuer.com" realm="http://realm.com" requireHttps="false" />

My problem is that the realm is dependent on which domain the user accessed the website on so what I did is that I set it in an global action filter like this

var module = context.HttpContext.ApplicationInstance.Modules["WSFederationAuthenticationModule"] as WSFederationAuthenticationModule;
module.Realm = "http://" + siteInfo.DomainName;

My question is. When I set the realm like this, is it set per user instance or application instance.

Scenario.

User A loads the page and the realm get set to domain.a.com.

User B is already logged in on domain.b.com and presses login.

Since user A loaded the page before User B pressed login, user A will hit the STS with the wrong realm set.

What will happen here?

If this is not the way to set the realm per user instance, is there another way to do it?

t3d
  • 178
  • 10

1 Answers1

4

I have already solved the problem.

I set PassiveRedirectEnabled to false in web.config

I set up the mvc project to use forms authentication, eventhough I dont. I do that so that I will get redirected to my login controller with a return url everytime a controller with [Authorize] is run.

In my login controller I do

var module = HttpContext.ApplicationInstance.Modules["WSFederationAuthenticationModule"] as WSFederationAuthenticationModule;
module.PassiveRedirectEnabled = true;

SignInRequestMessage mess = module.CreateSignInRequest("passive", returnUrl, false);
mess.Realm = "http://" + Request.Url.Host.ToLower();

HttpContext.Response.Redirect(mess.WriteQueryString());

This is definitely not really how it should be, for me it feels like Windows Identity Foundation is lagging behind, both in documentation and microsoft technology wise, no examples for MVC.

For other MVC people i recommend them to not use the fedutil wizard, and instead write the code and configuration themself

gevorg
  • 4,835
  • 4
  • 35
  • 52
t3d
  • 178
  • 10