This post presents a Basic Authenticator wrapper around ADFS security. This authenticator allows a client and web-service to use Basic authorization security, while the actual security authentication happens on an ADFS server.
The Basic Authenticator is a .NET HTTP module, which creates a security context based on a user principal that it receives from ADFS. All subsequent request processing happens in the context of this 'impersonated' context.
The request processing sequence is as follows:
Request processing starts with AuthenticateRequest method. If there is an Authorization header, then try extract and validate user with ADFS; otherwise, prepare to return 401 response.
The request processing ends with method EndRequest. If the response code was set to 401, then send a WWW-Authenticate header also to force the client to send a request header Authorization. Unless the request type is OPTIONS (which means it is a WebDAV request), in which case we send back 200 OK.
Method GetCredentials decodes the Authorization header and extracts the username/password:
Next, the AuthenticateUser method is called in case we have a successfully extracted username/password from the Authorization header. This method checks the credentials agains ADFS and sets the security context both in current HttpContext and current Thread objects.
Next, the method CheckPassword is where the credentials are checked against ADFS. If successful, ADFS returns a SAML token, which we need to decrypt, extract the user from it, and then create a user principal for this user:
The code above makes use of a custom class AdfsClient that abstracts out the interaction with the ADFS server. The main methods are the following:
For brevity, I won't go into details about the AdfsClient class in this blog post. Instead, I will dedicate an entire blog post to AdfsClient shortly.
The Basic Authenticator is a .NET HTTP module, which creates a security context based on a user principal that it receives from ADFS. All subsequent request processing happens in the context of this 'impersonated' context.
The request processing sequence is as follows:
- Client connects to web-service using Basic authorization (over HTTPS, so the Authorization request header is not transmitted in the open)
- Basic Authenticator HTTP module intercepts the request
- If Authorization header is in the request
- Extract and decode username/password from Authorization header
- If username/password is valid in ADFS
- Create user principal
- Set security context
- Let request processing continue
- Else
- Send 401 WWW-Authenticate response header
- Stop request processing
- Else
- Send 401 WWW-Authenticate response header
- Stop request processing
Request processing starts with AuthenticateRequest method. If there is an Authorization header, then try extract and validate user with ADFS; otherwise, prepare to return 401 response.
public void AuthenticateRequest() { var authorization = Request.Headers["Authorization"]; if (authorization != null) { string credentials = GetCredentials(authorization); if (credentials != null && AuthenticateUser(credentials)) { Request.Headers[Configuration.HeaderUser] = HttpContext.Current.User.Identity.Name; return; } } HttpContext.Current.Response.StatusCode = 401; }
The request processing ends with method EndRequest. If the response code was set to 401, then send a WWW-Authenticate header also to force the client to send a request header Authorization. Unless the request type is OPTIONS (which means it is a WebDAV request), in which case we send back 200 OK.
public void EndRequest() { if (Response.StatusCode == 401) { if (Request.RequestType == "OPTIONS") { Response.StatusCode = 200; } else { Response.Headers.Add("WWW-Authenticate", string.Format("Basic realm=\"{0}\"", Realm)); } } }
Method GetCredentials decodes the Authorization header and extracts the username/password:
private string GetCredentials(string authorizationHeader) { var headerValue = AuthenticationHeaderValue.Parse(authorizationHeader); if (!headerValue.Scheme.Equals("basic", StringComparison.OrdinalIgnoreCase) || string.IsNullOrEmpty(headerValue.Parameter)) { return null; } var encoding = Encoding.GetEncoding("iso-8859-1"); byte[] credentialsBytes = Convert.FromBase64String(headerValue.Parameter); return encoding.GetString(credentialsBytes); }
Next, the AuthenticateUser method is called in case we have a successfully extracted username/password from the Authorization header. This method checks the credentials agains ADFS and sets the security context both in current HttpContext and current Thread objects.
private bool AuthenticateUser(string credentials) { IPrincipal principal = CheckPassword(credentials); if (principal != null) { Thread.CurrentPrincipal = principal; HttpContext.Current.User = principal; return true; } return false; }
Next, the method CheckPassword is where the credentials are checked against ADFS. If successful, ADFS returns a SAML token, which we need to decrypt, extract the user from it, and then create a user principal for this user:
private ClaimsPrincipal CheckPassword(string credentials) { string[] parts = credentials.Split(':'); if (parts.Length != 2) { return null; } AdfsClient adfsClient = new AdfsClient(parts[0], parts[1], Utils.Configuration.AdfsAudienceId, Utils.Configuration.AdfsStsUrl); GenericXmlSecurityToken encryptedToken = adfsClient.GetToken(); SecurityToken decryptedToken = adfsClient.DecryptToken(encryptedToken); return adfsClient.GetPrincipal(decryptedToken); }
The code above makes use of a custom class AdfsClient that abstracts out the interaction with the ADFS server. The main methods are the following:
- GetToken: requests a SAML token from the ADFS server, passing in the user, password and Relying Party identifier and returns an XML representation of the token;
- DecryptToken: decrypts the encrypted SAML token and converts it into a Saml2SecurityToken;
- GetPrincipal: extracts the ClaimsIdentity from the decrypted SAML token and returns a ClaimsPrincipal;
For brevity, I won't go into details about the AdfsClient class in this blog post. Instead, I will dedicate an entire blog post to AdfsClient shortly.
Comments