I recently had the task to find out how to mix ASP.NET Forms Authentication with WIF’s WS-Federation. The FormsAuth app did already exist, and a new sub-directory of this application should use ADFS for authentication. Minimum changes to the existing application code would be a plus ;)

Since the application is using ASP.NET MVC this was quite easy to accomplish – WebForms would be a little harder, but still doable. I will discuss the MVC solution here.

To solve this problem, I made the following changes to the standard MVC internet application template:

• Added WIF’s WSFederationAuthenticationModule and SessionAuthenticationModuleto the modules section.
• Add a WIF configuration section to configure the trust with ADFS.
• Added a new authorization attribute. This attribute will go on controller that demand ADFS (or STS in general) authentication.

The attribute logic is quite simple – it checks for authenticated users – and additionally that the authentication type is set to Federation. If that’s the case all is good, if not, the redirect to the STS will be triggered.

public class RequireTokenAuthenticationAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext.User.Identity.IsAuthenticated &&
httpContext.User.Identity.AuthenticationType.Equals(
WIF.AuthenticationTypes.Federation, StringComparison.OrdinalIgnoreCase))
{
return true;
}

return false;
}

protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
// do the redirect to the STS
        var message = FederatedAuthentication.WSFederationAuthenticationModule.CreateSignInRequest(
“passive”,
filterContext.HttpContext.Request.RawUrl,
false);
filterContext.Result = new RedirectResult(message.RequestUrl);
}
}

That’s it ;) If you want to know why this works (and a possible gotcha) – read my next post.