question

GregWilson-1600 avatar image
0 Votes"
GregWilson-1600 asked Bruce-SqlWork edited

Blazor SSO using WsFederation

I am building an internal Blazor WASM application (Asp.NET Core 6.0) where we use ADFS/WsFederation for authentication. The desired UX is that if the user is logged into Active Directory, they will never see a login-screen and will be automatically authenticated. There currently seems to be no available documentation for this scenario.

1) Can built-in Asp.NET Core Identity work in this scenario to manage user information? IOW, can the identity system that allows you to add attributes to hold information about users while authenticating with WsFederation in a no-login scenario? Or is Identity built on the assumption that Login screens will be used?
2) Which packages need to be on the Server, which ones on the Client and which ones on both? (Related, what needs to be in Program.cs for Server and Client for WsFederation to be used?
3) Once working, how can I access the user ClaimsPrincipal from a Razor component (.razor without a code behind) in the client?

NOTE: I can get WsFederation working in an ASP.NET core (non-Blazor) app, either without using Identity and I can use Identity with WsFederation as an external log-in provider, but that still begins at a log-in screen. My specific issue is try to get any of this to work in Blazor WASM and without a log-in screen being needed.


dotnet-aspnet-core-blazorazure-ad-single-sign-ondotnet-aspnet-core-securitydotnet-aspnet-core-auth
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Bruce-SqlWork avatar image
1 Vote"
Bruce-SqlWork answered GregWilson-1600 commented

1) any identity system requires a login. many browsers will support auto login for windows authentication.

the individual identity uses forms and cookie logins.

ADFS/WsFederation uses oath and bearer tokens. this requires a login screen, unless you are using windows login proxy. as you are using AD, additional user properties are stored in the AD, and you need to configure ad claims mapping, or use the graph api to access.

2) the client you use msal.

https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-adfs-support

for the server you use identity and configure for bearer (jwt) tokens

3) as bearer tokens are clear text, blazor can read. see its support for tokens (identity).

note: if you have the WsFederation autologin proxy configured, then your apps are using windows security and requires a custom claims provider. the blazor app will be unaware of this. you can make an ajax call to get the claims.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for helping me rule out using Identity.

Beyond that, your reply expects me to have WAY more knowledge than I do.

  • Using the previously linked code, I can get to all the claims that I need in a non-Blazor Asp.Net Core application. I don't know how to access the Claims Principal object that the User property provided by the RazorBasePage class on the server from Razor components in Blazor WASM.

  • The above application is not configured to use Windows Authentication, but still works fine. (I am not very familiar with how our team that provides WsFederation has it set up. I just use it as a developer)

  • I don't understand why I would need to use MSAL.net. All the information I need is already in the claims provided by our WsFederation server. Isn't there a way to get that information on the Blazor client?

  • I don't understand the relationship between the jwt tokens and the ClaimsPrincipal provided by WsFederation. Am I supposed to manually create a jwt token on the server from the ClaimsPrincipal and send that token to the Client? Is this what I'm supposed to be doing with a custom claims provider?





0 Votes 0 ·

The link is for standard oauth flow for a web server. The web server redirects to the ad login server, you login into the ad server, and it redirects back to the web server passing a login token. (This simplified).

This flow is supported for blazor server, because it can use the same flow. But blazor WASM is a client application and can not use this flow. Instead it needs to get a bearer token, that it uses to make webapi calls.

Msal is the library you use to get a bearer token. You then pass this token with webclient calls. See

https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/standalone-with-azure-active-directory?view=aspnetcore-6.0

you need to configure your tenant application to have api access. You will also need to add bearer token support to the webapi you are calling. If it’s a separate site from the one that hosts the blazor app, it will also need to implement CORS


0 Votes 0 ·

Are there any code examples of using msal.net with WsFederation and a Blazor WASM client? I am not using AAD, and I don't have a Tennant Id or a Client Id. I have a MetaDataUrl and a Wtrealm, and I don't know enough to alter examples from AAD to WsFederation.

Let's get back to the original questions that I asked that haven't been answered:

2) Which packages need to be on the Server, which ones on the Client and which ones on both? (Related, what needs to be in Program.cs for Server and Client for WsFederation to be used?
3) Once working, how can I access the user ClaimsPrincipal from a Razor component (.razor without a code behind) in the client?

I'll add one more:
4) To make this work, what specifically do I need to choose for authentication option (In either Visual Studio new project or in the dotnet new blazorwasm -au <something here> command line) when I am scaffolding the application?


Without those fundamental questions answered, I'm dead in the water.





0 Votes 0 ·
Bruce-SqlWork avatar image
0 Votes"
Bruce-SqlWork answered Bruce-SqlWork edited

I looked closer. WsFederated is an older protocol and only supports cookie authentication (no tokens). it would be easier to set up oauth for your blazor app and use msal.

to use WsFed (my best guess)

config the blazor hosting site to use WsFed as you do now and require authentication on static files. this will cause the fetch of index.html to create the correct wsfed authentication cookie. this cookie will also be sent on ajax calls. you will know you set this up correctly when loading the index.html forces authenication.

if the blazor app need access to the claims, create a server api call to get the claims.

also you will need to handle cookie timeouts. you will want your webapi calls to return a 401 on authentication errors, not a redirect to login. your blazor ajax calls will need to detect the 401 error. if detected, using javascipt interop reload the page, which will force a re-authenication.

a more advanced solution:

add an ajax call to get an jwt token. this would use cookie authentication. then the other webapi calls could use bearer tokens rather than cookie authentication.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm still shocked that getting these two Microsoft technologies to work together well is so painful. In my 2+ decades in this field, I've never had this big of a problem trying to use two supported Microsoft technologies to do something as standard as authentication.
If I'm understanding, I am going to have to manually create a JWT bearer token and then alter all the server APIs to not use WsFed, but instead use JWT bearer tokens? If I go that route, I still need to know the answers to my fundamental questions 2, 3, and 4 above before I can even begin. I'm willing to dive into learning everything I need to know about all these authentication methods, but if I don't get the basics setup correctly, I will be doomed before I begin.


0 Votes 0 ·

the issue is WsFed predates SPA applications and does not support them cleanly. Blazor WASM is a SPA, so the examples assume you will use oauth and bearer tokens because that is the norm with SPA's that use authentication.

while you can use cookie authentication with a SPA, you have issues because there is only one standard web request, and the cookie has a timeout. how do you renew the cookie? also webapi typically doesn't use cookie authentication because there is no flow support.

SPA using cookie auth work work better sliding window expiration is supported, because then the ajax calls can renew the cookie. I don't believe WsFed supports sliding window, but you can check.

note: blazor server, for which there is only one request (so cooke expire is not an issue), and does not use webapi, supports WsFed fine.






0 Votes 0 ·