One of the key features of AS is that you can combine it with arbitrary authentication methods. This basically allows to layer OAuth2 and our application and authorization model over any identity management system.
Recently the question came up which steps would be necessary to combine AS with plain Windows integrated authentication. That’s what I did:
- Downloaded the latest source code version from github
- Setup the vdir in IIS (IIS Express works as well) and enabled Windows authentication
- Set the ASP.NET authentication mode to Windows
- Removed the FAM as well as the system.identityModel configuration section
With that we have AS configured for Windows authentication and removed the WS-Federation plumbing. The last step would be to setup the claims transformation logic to a) transform the Windows account name into the sub claim and b) set the AS administrator role if the Windows user is an AS administrator. This is done in global.asax:
protected void Application_PostAuthenticateRequest()
if (HttpContext.Current.User.Identity.IsAuthenticated &&
HttpContext.Current.User is WindowsPrincipal)
var svc = DependencyResolver
var transformer = new NameIdToSubjectClaimsTransformer(svc);
var newPrincipal = transformer.Authenticate(
string.Empty, HttpContext.Current.User as ClaimsPrincipal);
HttpContext.Current.User = newPrincipal;
Thread.CurrentPrincipal = newPrincipal;
var session = new SessionSecurityToken(newPrincipal);
This code will transform the WindowsPrincipal to an AS principal on the first authenticated request. From that point the SAM will use the transformed principal via the session token / cookie.
If you like to use the resource owner credential flow – you’d also need to implement a Windows specific version of the IResourceOwnerCredentialValidation interface (and wire it up in autofac.config). I leave that as an exercise – but the general approach would be to use Win32 LogonUser to verify the Windows username and password (instead of the WS-Trust default implementation).