We have an existing ASP.NET application (WebForms) that uses do-it-yourself authentication. We were instructed to implement a single solution for entering the system and decided to use WIF.
We have one instance of the running application, and we identify the client using a subdomain (for example, client1.ourapp.com, client2.ourapp.com, etc.). In the application code, we remove the first subdomain and identify the client.
We are working with a proof of WIF concept to figure out how to redirect the user back to the correct subdomain after authentication. The out-of-box behavior seems to be that STS redirects the user to any region specified in the configuration file. The following is a PoC configuration file. I use my hosts file to fake different clients (i.e. 127.0.0.1 client1.ourapp.com, 127.0.0.1 client2.ourapp.com).
<federatedAuthentication>
<wsFederation
passiveRedirectEnabled="true"
issuer="http://ourapp.com/SSOPOCSite_STS/"
realm="http://client1.ourapp.com"
requireHttps="false" />
</federatedAuthentication>
Obviously, this will not work, because we cannot redirect everyone to the same subdomain.
We think that we have figured out how to deal with this, but would like some external opinions on whether we are doing it right or we are just lucky.
FAM RedirectingToIdentityProvider. URL- , , , Realm HomeRealm SignInRequestMessage, FAM ( STS ).
protected void WSFederationAuthenticationModule_RedirectingToIdentityProvider( object sender, RedirectingToIdentityProviderEventArgs e )
{
var companyName = GetCompanyName();
var realm = GetRealm( companyName );
e.SignInRequestMessage.Realm = realm;
e.SignInRequestMessage.HomeRealm = companyName;
}
string GetRealm( string companyName )
{
return String.Format( "http://{0}.ourapp.com/SSOPOCSite/", companyName );
}
?
- ?
?