2

I am being tasked with writing an asp.net web app that will use ADFS for authentication. However, at one stage in the application users will have to re-authenticate and supply their username and password again.

Can this be done with ADFS?

Matthew Bonig
  • 2,001
  • 2
  • 20
  • 40

5 Answers5

3

The ASP.NET app can be an active client to the STS as well as a passive one. When you need to step up, provide some input fields and ask the user for additional proof of who they are. Using the WSTrustChannelFactory, pass this info (and possibly the original token) to the STS to get a new token that is fresher and contains claims that are sufficient to authorize the the higher value transaction.

Travis Spencer
  • 2,231
  • 16
  • 26
  • How will this work if the RP/STS is different from the IP/STS? Then for this step-up scenario, the application would also need to know the IP/STS that was used in the passive sign-in, it looks like. How would one go about that? – MarnixKlooster ReinstateMonica Apr 30 '11 at 17:47
  • Chain the active STSs together just like was done w/ the passive ones. In other words, get the username and PIN in the Web app, send them to the IP-STS. If they're valid, the IP-STS will issue a new token. Send that to the RP-STS. It will issue a second token which the app will be able to crack because it was emitted by the STS that it trust. Not sure I'd solve this problem that way, but it's food for thought at least. – Travis Spencer Aug 31 '11 at 07:19
1

What is the goal of the re-authentication, i.e., what does the user need to prove?

I'm presuming the application wants a sign-in token with a recent authentication timestamp (within, say, the last 10 seconds), so that the application is reasonably sure that the client system is really still under that same user's control.

(Watch out for clock differences between your web server and your AD FS server, by the way.)

In the coming months I will be investigating a similar scenario, and my current idea is to use the SessionAuthenticationModule.SessionSecurityTokenReceived Event, as described in this blog post by Vittorio Bertocci. However, that cannot be the entire solution, since this only forces AD FS to give out a token, but it does not force AD FS to give out a token with a recent authentication timestamp.

So no answer yet, but perhaps these hints help.

MarnixKlooster ReinstateMonica
  • 9,640
  • 14
  • 54
  • 108
  • Yes, this is precisely what I want. The application will be SSO but when getting into more "secure" locations of the app I want to re-verify the user account. – Matthew Bonig Feb 09 '11 at 15:57
  • I found another hint in [another answer here on StackOverflow](http://stackoverflow.com/questions/2180306/windows-identity-foundation-how-to-get-new-security-token-in-asp-net/2670064#2670064): basically, just sign the user out. – MarnixKlooster ReinstateMonica Feb 10 '11 at 20:24
1

This article describes a "step-up" procedure that might help you in this scenario. I haven't used it though, so I can't comment in detail. It looks very close to what you are trying to do.

Eugenio Pace
  • 14,094
  • 1
  • 34
  • 43
0

Reducing TokenLifetime property makes you to re-authenticate users. suppose by TokenLifetime is by default is 60 min but it shows popup before 20 mins. but there may be data loss

srinath
  • 1
0

For ASP.NET using WIF, you are using WS-Federation as the protocol to interact with ADFS and get a token. Within this, you can specify wrefresh=0 in the sign-in request to ADFS. When this is sent, ADFS ignores any prior cookie state (web SSO) and does a fresh authentication and so a new token will be issued to the app. In the case of intranet domain joined machine case, this will be silent.

To have user interaction, you can do one of 2 things

Thanks //Sam (@MrADFS)

SamuelD MSFT
  • 781
  • 4
  • 5