Blazor SSO using WsFederation

Question

I am building an internal Blazor WASM application (Asp.NET Core 6.0) where we use ADFS/WsFederation for authentication. The desired UX is that if the user is logged into Active Directory, they will never see a login-screen and will be automatically authenticated. There currently seems to be no available documentation for this scenario.

1) Can built-in Asp.NET Core Identity work in this scenario to manage user information? IOW, can the identity system that allows you to add attributes to hold information about users while authenticating with WsFederation in a no-login scenario? Or is Identity built on the assumption that Login screens will be used?
2) Which packages need to be on the Server, which ones on the Client and which ones on both? (Related, what needs to be in Program.cs for Server and Client for WsFederation to be used?
3) Once working, how can I access the user ClaimsPrincipal from a Razor component (.razor without a code behind) in the client?

NOTE: I can get WsFederation working in an ASP.NET core (non-Blazor) app, either without using Identity and I can use Identity with WsFederation as an external log-in provider, but that still begins at a log-in screen. My specific issue is try to get any of this to work in Blazor WASM and without a log-in screen being needed.

Answer 1

1) any identity system requires a login. many browsers will support auto login for windows authentication.

the individual identity uses forms and cookie logins.

ADFS/WsFederation uses oath and bearer tokens. this requires a login screen, unless you are using windows login proxy. as you are using AD, additional user properties are stored in the AD, and you need to configure ad claims mapping, or use the graph api to access.

2) the client you use msal.

https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-adfs-support

for the server you use identity and configure for bearer (jwt) tokens

3) as bearer tokens are clear text, blazor can read. see its support for tokens (identity).

note: if you have the WsFederation autologin proxy configured, then your apps are using windows security and requires a custom claims provider. the blazor app will be unaware of this. you can make an ajax call to get the claims.

Answer 2

I looked closer. WsFederated is an older protocol and only supports cookie authentication (no tokens). it would be easier to set up oauth for your blazor app and use msal.

to use WsFed (my best guess)

config the blazor hosting site to use WsFed as you do now and require authentication on static files. this will cause the fetch of index.html to create the correct wsfed authentication cookie. this cookie will also be sent on ajax calls. you will know you set this up correctly when loading the index.html forces authenication.

if the blazor app need access to the claims, create a server api call to get the claims.

also you will need to handle cookie timeouts. you will want your webapi calls to return a 401 on authentication errors, not a redirect to login. your blazor ajax calls will need to detect the 401 error. if detected, using javascipt interop reload the page, which will force a re-authenication.

a more advanced solution:

add an ajax call to get an jwt token. this would use cookie authentication. then the other webapi calls could use bearer tokens rather than cookie authentication.