IsInRole Authorization in ASP.NET Application Configured for Federated Authentication Using Windows Identity Foundation (WIF) and ClaimsAuthenticationManager

In this post I will show how to use Windows Identity Foundation’s (WIF) ClaimsAuthenticationManager to transform incoming claims into Role claims so that ASP.NET web application can apply familiar role based authorization using IPrincipal’s IsInRole method.

This is a follow up to IsInRole Authorization in ASP.NET Application Configured for Federated Authentication Using Windows Identity Foundation (WIF) and Azure AppFabric Access Control Service. In previous post I showed how to add Role claims using Azure AppFabric Access Control Service (ACS). In this post there is no dependency on ACS, and any Security Token Service (STS) can be used for federated authentication in your ASP.NET application. Claims transformation will happen in the context of the ASP.NET application regardless STS it is configured. Rest of the post outlines detailed steps to accomplish this task. It assumes you already have simple ASP.NET web application in your Visual Studio.

Summary of Steps

  • Step 1 – Create Claims Transformation Class Library Using Custom ClaimsAuthenticationManager
  • Step 2 – Configure Claims Aware ASP.NET Application to Use Custom ClaimsAuthenticationManager
  • Step 3 – Implement Authorization Role Access Checks in Your ASP.NET Application
  • Step 4 – Test Your Work

Step 1 – Create Claims Transformation Class Library Using Custom ClaimsAuthenticationManager

  • Add Class Library project to the Visual Studio Solution and give it a name, for example, MyClaimsTransformationModule.
  • Add reference to Microsoft.IdentityModel assembly.
  • Add reference to System.IdentityModel assembly.
  • Create new class and give it a name – for example, ClaimsTransformationModule.
  • Add the following using declarations to the class:

 

using Microsoft.IdentityModel.Claims;
using System.Security.Principal;

 

  • Derive the class from the ClaimsAuthenticationManager type.
  • Override its Authenticate method – this is where claims transformation will take place. Your code for Authenticate method can be based on the following:

if (incomingPrincipal != null && incomingPrincipal.Identity.IsAuthenticated == true)
{
    //DECIDE ON SOME CRITERIA IF CURRENT USER DESERVES THE ROLE
    ((IClaimsIdentity)incomingPrincipal.Identity).Claims.Add(
        new Claim(ClaimTypes.Role, "Admin"));
}
return incomingPrincipal;

 

Step 2 – Configure Claims Aware ASP.NET Application to Use Custom ClaimsAuthenticationManager

  • Switch to the ASP.NET application and configure your custom ClaimsAuthenticationManager in its web.config:

  <microsoft.identityModel>
    <service>
      <claimsAuthenticationManager type="MyClaimsTransformationModule.ClaimsTransformationModule, MyClaimsTransformationModule" />

  • Make sure the new assembly you created can be found by the application, the simplest way is to place it in its bin folder.

Step 3 – Implement Authorization Role Access Checks in Your ASP.NET Application

  • Switch to your ASP.NET web application and add the following code to your default.aspx.cs file.

    public partial class _default : System.Web.UI.Page
    {
        //THIS SHOULD THROW AN EXCEPTION
        [PrincipalPermission(SecurityAction.Demand, Role = "User")]
        protected void Page_Load(object sender, EventArgs e)
        {
            //THIS SHOULD THROW AN EXCEPTION
            PrincipalPermission p = new PrincipalPermission(null, "User");
            p.Demand();

            //THIS RETURNS BOOL 

            if (!User.IsInRole("User"))
                throw new SecurityException("Access is denied.");
        }
    }

Step 4 – Test Your Work

Run your ASP.NET application. Consider adding breakpoints to your custom ClaimsAuthenticationmanager implementation to see if it’s picked by the app. If so than you should get an security exception telling you your application demanded User role and you do not have it. Change the “Admin” to “User” and run your ASP.NET application again – this time it should work nicely. If not – let me know.