I recently had the task to find out how to mix ASP.NET Forms Authentication with WIF’s WS-Federation. The FormsAuth app did already exist, and a new sub-directory of this application should use ADFS for authentication. Minimum changes to the existing application code would be a plus ;)
Since the application is using ASP.NET MVC this was quite easy to accomplish – WebForms would be a little harder, but still doable. I will discuss the MVC solution here.
To solve this problem, I made the following changes to the standard MVC internet application template:
- Added WIF’s WSFederationAuthenticationModule and SessionAuthenticationModuleto the modules section.
- Add a WIF configuration section to configure the trust with ADFS.
- Added a new authorization attribute. This attribute will go on controller that demand ADFS (or STS in general) authentication.
The attribute logic is quite simple – it checks for authenticated users – and additionally that the authentication type is set to Federation. If that’s the case all is good, if not, the redirect to the STS will be triggered.
public class RequireTokenAuthenticationAttribute : AuthorizeAttribute
protected override bool AuthorizeCore(HttpContextBase httpContext)
if (httpContext.User.Identity.IsAuthenticated &&
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
// do the redirect to the STS
var message = FederatedAuthentication.WSFederationAuthenticationModule.CreateSignInRequest(
filterContext.Result = new RedirectResult(message.RequestUrl);
That’s it ;) If you want to know why this works (and a possible gotcha) – read my next post.