skip to Main Content

My ultimate goal is to add SSO (WS-Fed) to an existent Web Forms application (let’s call it OrigApp).
I already have my app (SP)’s relying party trust ready.

My strategy is first to create an off-the-shelf Web Forms app (let’s call it NewApp), and then I will add all appropriate code from OrigApp.

I have already created the Web Forms NewApp (.NET Framework 4.7.2) with the appropriate IdP and my app (SP) urls.

I have tested it and SSO works just fine.

Before I add the code from OrigApp, i am inspecting the code in NewApp, I noticed the following, and I have some questions (listed at the end of the things noticed):

  1. web.config now has a whole bunch of references to assemblies (Microsoft.IdentityModel.Tokens, Microsoft.IdentityModel.Tokens.Saml, Microsoft.IdentityModel.Protocols.OpenIdConnect, Microsoft.IdentityModel.Protocols, etc) to support SSO. This makes sense.

  2. Global.asax.cs has this on Application_Start():

 void Application_Start(object sender, EventArgs e)
        {
            // Code that runs on application startup
            RouteConfig.RegisterRoutes(RouteTable.Routes);
            BundleConfig.RegisterBundles(BundleTable.Bundles);
         }
  1. There is now a Startup.cs

public partial class Startup
{
public void Configuration(IAppBuilder app)
{
ConfigureAuth(app);
}
}

ConfigureAuth() is in StartupAuth.cs :

public partial class Startup
{
private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
private static string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];

    public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions());

        app.UseWsFederationAuthentication(
            new WsFederationAuthenticationOptions
            {
                Wtrealm = realm,
                MetadataAddress = adfsMetadata
            });

        // This makes any middleware defined above this line run before the Authorization rule is applied in web.config
        app.UseStageMarker(PipelineStage.Authenticate);
    }
}

As I said before, I have tested NewApp and SSO works.
My question is, where is the SSO config being called?

As far as I know, ASP.NET will first Application_Start() in Global.asax.cs,
which, as I shown above, I don’t see that any code from the Startup.cs is called from Application_Start() in Global.asax.cs.

I read that with .NET 5 Startup.cs is used in a similar way than Global.asax.cs
Is .Net Framework 4.7.2 considered .NET 5? or is Startup.cs being called by the .Net Framework in 4.7.2 already?

If so, does it call Application_Start() from Global.asax.cs first, and then which method in Startup.cs? Configuration?

public partial class Startup
{
public void Configuration(IAppBuilder app)
{
ConfigureAuth(app);
}
}

So in summary, I need to understand where exactly is the code that handles the SSO called?
I also checked Default.aspx.cs and it is empty.

2

Answers


  1. Chosen as BEST ANSWER

    Tm Son, Here is the web.config file created by VS:

    <?xml version="1.0" encoding="utf-8"?>
    
    <configuration>
      <appSettings>
        <add key="ida:ADFSMetadata" value="https://xxxx/FederationMetadata/2007-06/FederationMetadata.xml" />
        <add key="ida:Wtrealm" value="https://xyz/myapp/" />
      </appSettings>
      <location path="Account">
        <system.web>
          <authorization>
            <allow users="*" />
          </authorization>
        </system.web>
      </location>
      <system.web>
        <authorization>
          <deny users="?" />
        </authorization>
        <compilation debug="true" targetFramework="4.7.2" />
        <httpRuntime targetFramework="4.7.2" />
        <pages>
          <namespaces>
            <add namespace="System.Web.Optimization" />
          </namespaces>
          <controls>
            <add assembly="Microsoft.AspNet.Web.Optimization.WebForms" namespace="Microsoft.AspNet.Web.Optimization.WebForms" tagPrefix="webopt" />
          </controls>
        </pages>
      </system.web>
      <system.webServer>
        <modules>
          <remove name="FormsAuthentication" />
        </modules>
      </system.webServer>
      <runtime>
        <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
          <dependentAssembly>
            <assemblyIdentity name="Antlr3.Runtime" publicKeyToken="eb42632606e9261f" />
            <bindingRedirect oldVersion="0.0.0.0-3.5.0.2" newVersion="3.5.0.2" />
          </dependentAssembly>
          <dependentAssembly>
            <assemblyIdentity name="Microsoft.IdentityModel.Tokens" publicKeyToken="31bf3856ad364e35" />
            <bindingRedirect oldVersion="0.0.0.0-5.5.0.0" newVersion="5.5.0.0" />
          </dependentAssembly>
          <dependentAssembly>
            <assemblyIdentity name="Microsoft.IdentityModel.Tokens.Saml" publicKeyToken="31BF3856AD364E35" culture="neutral" />
            <bindingRedirect oldVersion="0.0.0.0-5.5.0.0" newVersion="5.5.0.0" />
          </dependentAssembly>
          <dependentAssembly>
            <assemblyIdentity name="Microsoft.IdentityModel.Protocols.OpenIdConnect" publicKeyToken="31bf3856ad364e35" />
            <bindingRedirect oldVersion="0.0.0.0-5.5.0.0" newVersion="5.5.0.0" />
          </dependentAssembly>
          <dependentAssembly>
            <assemblyIdentity name="Microsoft.IdentityModel.Protocols" publicKeyToken="31bf3856ad364e35" />
            <bindingRedirect oldVersion="0.0.0.0-5.5.0.0" newVersion="5.5.0.0" />
          </dependentAssembly>
          <dependentAssembly>
            <assemblyIdentity name="Microsoft.IdentityModel.Protocols.WsFederation" publicKeyToken="31BF3856AD364E35" culture="neutral" />
            <bindingRedirect oldVersion="0.0.0.0-5.5.0.0" newVersion="5.5.0.0" />
          </dependentAssembly>
          <dependentAssembly>
            <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" />
            <bindingRedirect oldVersion="0.0.0.0-12.0.0.0" newVersion="12.0.0.0" />
          </dependentAssembly>
          <dependentAssembly>
            <assemblyIdentity name="System.IdentityModel.Tokens.Jwt" publicKeyToken="31bf3856ad364e35" />
            <bindingRedirect oldVersion="0.0.0.0-5.5.0.0" newVersion="5.5.0.0" />
          </dependentAssembly>
          <dependentAssembly>
            <assemblyIdentity name="WebGrease" publicKeyToken="31bf3856ad364e35" />
            <bindingRedirect oldVersion="0.0.0.0-1.6.5135.21930" newVersion="1.6.5135.21930" />
          </dependentAssembly>
        </assemblyBinding>
      </runtime>
      <system.codedom>
        <compilers>
          <compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=2.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:default /nowarn:1659;1699;1701" />
          <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=2.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:default /nowarn:41008 /define:_MYTYPE=&quot;Web&quot; /optionInfer+" />
        </compilers>
      </system.codedom>
    </configuration>
    

    Also, I see there is a packages.config file with these contents:

    <?xml version="1.0" encoding="utf-8"?>
    <packages>
      <package id="Antlr" version="3.5.0.2" targetFramework="net472" />
      <package id="AspNet.ScriptManager.bootstrap" version="3.4.1" targetFramework="net472" />
      <package id="AspNet.ScriptManager.jQuery" version="3.4.1" targetFramework="net472" />
      <package id="bootstrap" version="3.4.1" targetFramework="net472" />
      <package id="jQuery" version="3.4.1" targetFramework="net472" />
      <package id="Microsoft.AspNet.FriendlyUrls" version="1.0.2" targetFramework="net472" />
      <package id="Microsoft.AspNet.FriendlyUrls.Core" version="1.0.2" targetFramework="net472" />
      <package id="Microsoft.AspNet.ScriptManager.MSAjax" version="5.0.0" targetFramework="net472" />
      <package id="Microsoft.AspNet.ScriptManager.WebForms" version="5.0.0" targetFramework="net472" />
      <package id="Microsoft.AspNet.Web.Optimization" version="1.1.3" targetFramework="net472" />
      <package id="Microsoft.AspNet.Web.Optimization.WebForms" version="1.1.3" targetFramework="net472" />
      <package id="Microsoft.CodeDom.Providers.DotNetCompilerPlatform" version="2.0.1" targetFramework="net472" />
      <package id="Microsoft.IdentityModel.JsonWebTokens" version="5.5.0" targetFramework="net472" />
      <package id="Microsoft.IdentityModel.Logging" version="5.5.0" targetFramework="net472" />
      <package id="Microsoft.IdentityModel.Protocol.Extensions" version="1.0.4.403061554" targetFramework="net472" />
      <package id="Microsoft.IdentityModel.Protocols" version="5.5.0" targetFramework="net472" />
      <package id="Microsoft.IdentityModel.Protocols.OpenIdConnect" version="5.5.0" targetFramework="net472" />
      <package id="Microsoft.IdentityModel.Protocols.WsFederation" version="5.5.0" targetFramework="net472" />
      <package id="Microsoft.IdentityModel.Tokens" version="5.5.0" targetFramework="net472" />
      <package id="Microsoft.IdentityModel.Tokens.Saml" version="5.5.0" targetFramework="net472" />
      <package id="Microsoft.IdentityModel.Xml" version="5.5.0" targetFramework="net472" />
      <package id="Microsoft.Owin" version="4.0.1" targetFramework="net472" />
      <package id="Microsoft.Owin.Host.SystemWeb" version="4.0.1" targetFramework="net472" />
      <package id="Microsoft.Owin.Security" version="4.0.1" targetFramework="net472" />
      <package id="Microsoft.Owin.Security.Cookies" version="4.0.1" targetFramework="net472" />
      <package id="Microsoft.Owin.Security.WsFederation" version="4.0.1" targetFramework="net472" />
      <package id="Microsoft.Web.Infrastructure" version="1.0.0.0" targetFramework="net472" />
      <package id="Modernizr" version="2.8.3" targetFramework="net472" />
      <package id="Newtonsoft.Json" version="12.0.2" targetFramework="net472" />
      <package id="Owin" version="1.0" targetFramework="net472" />
      <package id="System.IdentityModel.Tokens.Jwt" version="5.5.0" targetFramework="net472" />
      <package id="WebGrease" version="1.6.0" targetFramework="net472" />
    </packages>
    

  2. Could you specify the packages name and exact verions that you have installed? From what I see, I suspect that you might have installed wrong packages that only support ASP.NET MVC (That’s why Startup.cs was created).This Startup.cs is heavily related to MVC and nothing to do with Web Forms. So if the extensions that you trying to use only support registering in Startup.cs instead of Global.asax. I don’t think it would work for ASP.NET Web Forms.

    (Updated)

    From the web.config that you’ve sent, I guess you are trying to use OWIN/ASP.NET Identify for authentication. Unfortunately ASP.NET Web Forms uses classic ASP.NET authorization and there is no explicity way to use OWIN authentication as middleware. But I think this article describes how to use OWIN in an ASP.NET Web Forms project. Please take note of the voted answer on how to set it up to use OWIN. I hope that helped.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search