Directory Programming .NET

Active Directory and ADAM programming support for .NET developers

Welcome to Directory Programming .NET Sign in | Join | Help

Home

Forums

Files

Roller

Directory Programming .NET » General Discussions » ADFS Discussions » Re: ADFS, ASP.NET and Roles

ADFS, ASP.NET and Roles

Last post 05-27-2009, 8:38 AM by joe. 3 replies.


	Sort Posts: Previous Next

05-16-2009, 10:01 AM 6460

buzz
Joined on 05-16-2009
Posts 3

ADFS, ASP.NET and Roles

Reply Quote

Hi -

My company is moving to ADFS, and I'm trying to figure out how to leverage the ASP.NET declarative authorization to protect my site's files/folders. Today I use forms auth with a custom data store for authorization. I use FormsAuthenticationTicket to create my cookie (I know, I should use MembershipProvider), fill it up with the roles and away I go. I use <allow roles="Admin" /> in my web.config and life is good. Been using it for years.

Now, with ADFS, how do I get my roles into the principal in order to use ASP.NET declarative <authorization> directives? An MS ADFS engineer told me if I use GroupClaims it would work, but those roles just come from an xml file on the ADFS server, my roles come from a database and are very dynamic.

Does anyone have any ideas for me? I'm on the brink of rolling my own code to protect my files/folder and I'd hate to re-invent the wheel like that if I don't have to.

Thanks!

Report abuse

05-18-2009, 12:07 PM 6470 in reply to 6460

joe
Joined on 04-05-2006
Chicago, IL
Posts 2,737

Re: ADFS, ASP.NET and Roles

Reply Quote

If you had just been using the role provider framework, this would be easy as you could use the ADFS membership provider with your existing database role provider. You would probably want to go in that direction if you don't want the role data to come from the federation server.

Generally speaking though, it is a better model to try to get the FS to send you the role claims. If you don't, your database needs to "know" about all the users to assign them roles. In the pure federation model, you don't necessarily "know" who all the users are in advance.

The bottom line here is that there are lots of options to solve this, but implementing a custom role provider is probably the best way for you to go because you can write that against your existing role store. Then, in the future if you want to use ADFS for the role data, you can just switch to its role provider.

With Geneva in the future, you could potentially have the Geneva server generate dynamic group claims for you by querying your database store directly if you wanted to.

Report abuse

05-27-2009, 6:01 AM 6515 in reply to 6470

buzz
Joined on 05-16-2009
Posts 3

Re: ADFS, ASP.NET and Roles

Reply Quote

Thanks joe,

I didn't even know there was an ADFS Membership provider - where can I find it?

Thanks!

buzzz

Report abuse

05-27-2009, 8:38 AM 6518 in reply to 6515

joe
Joined on 04-05-2006
Chicago, IL
Posts 2,737

Re: ADFS, ASP.NET and Roles

Reply Quote

It is in the System.Web.SingleSignOn assembly as with the normal federation server components and the ADFS authentication module. I think there are two versions of the membership and role providers, depending on which version of the ADFS assembly you have. The revised versions run under partial trust in SharePoint. The type names of the original providers are:

SingleSignOnMembershipProvider
SingleSignOnRoleProvider

The revised versions have a "2" at the end I believe.

Hope that helps.

Report abuse