[Question] Is there a way to get custom WsFed parameters mapped over to SignInMessage for a custom UserService? about identityserver3.wsfederation HOT 14 CLOSED

There are some other threads in the core repo that ask about this. Of course, they're using OIDC for the protocol. We don't have a sample for this, but the approach would be to use the acr_values to indicate you want this "delegation" and use PreAuthN like you suggest to get the user logged in without credentials. So I think you're on the right track.

from identityserver3.wsfederation.

We don't support custom parameters for WS-Federation. We do for OIDC.

Check the ws-fed spec if you find a suitable parameter that could be used for extensibility.

from identityserver3.wsfederation.

I think I would like to make use of either the wfed or maybe the legacy wres parameter. Not sure how to get these passed through from the RP side yet (using Microsoft.Owin.Security.WsFederation)

wfed -> SignInRequestMessage.Federation (context id or any string?)
wres -> SignInRequestMessage.Resource (legacy/unused?)

Anything where a value could be passed all the way through would be useful...

from identityserver3.wsfederation.

If you're going to update the WS-Fed RP to pass custom params, why can't you update it for OIDC?

from identityserver3.wsfederation.

Aiming to get full stack implementation working using WsFed for now, OIDC would be a bit further down the line

Plugging in "wfed" as an option for RP by overriding WsFederationAuthenticationHandler was quite straightforward actually. Most things there are virtual.

from identityserver3.wsfederation.

What kind of extra data do you want to pass to the wsfed endpoint?

Sent from my iPhone

On 02.02.2015, at 18:39, rayph [email protected] wrote:

Aiming to get full stack implementation working using WsFed for now, OIDC would be a bit further down the line

Plugging in "wfed" as an option for RP by overriding WsFederationAuthenticationHandler was quite straightforward actually. Most things there are virtual.

—
Reply to this email directly or view it on GitHub.

from identityserver3.wsfederation.

I'm thinking of using an encrypted(url-safe) bit of data that the UserService.PreAuthenticateAsync can act on. It may automatically authenticate the user as a guest login for instance.

from identityserver3.wsfederation.

It would be pretty handy if "wfed" was forwarded by the WsFederationController maybe as LoginHint or perhaps an entirely new property on SignInMessage to the AuthenticationController. I imagine other folks might want to forward a parameter from the RP like this or am I doing completely unexpected?

from identityserver3.wsfederation.

Why do you need to make a round trip to idsrv for signing in someone as a guest wouldn't it be easier to just set a local cookie for the guest in your app?

Sent from my iPhone

On 02.02.2015, at 19:24, rayph [email protected] wrote:

I'm thinking of using an encrypted(url-safe) bit of data that the UserService.PreAuthenticateAsync can act on. It may automatically authenticate the user as a guest login for instance.

—
Reply to this email directly or view it on GitHub.

from identityserver3.wsfederation.

We have multiple apps - also being able to sign-in as a particular account without actually asking for credentials is something we need to provide

from identityserver3.wsfederation.

I will look into it - in general i am not opposed to being able to pass custom data - but i don't think the wfed parameter is the right one. Looking at the spec - none of them seem right. So we might also just re-use acr_values.

from identityserver3.wsfederation.

Yes, none of the standard parameters feel quite right. The acr_values sounds interesting but I would be hoping for a convenient way to pass it through from the RP, right now I set WsFederationMessage.Wfed to the custom value and it gets forwarded/serialised as per the spec. Would I instead manually append "acr_values" query string parameter to the sign in redirect url? and would having a 'weird' value in SignInMessage.AcrValues cause issues elsewhere in IdSrv (or is it better to have a specific property for this)?

from identityserver3.wsfederation.

done on dev. will push a 1.1 nuget soon

from identityserver3.wsfederation.

Very helpful. Thanks!

from identityserver3.wsfederation.