Authorization With RoleManager For Claims Aware (WIF) ASP.NET Web Applications

  • Article

This post outlines necessary steps in order to implement basic ASP.NET RoleManager for claims aware applications. One of the possible scenarios where it could be applicable is when migrating ASP.NET web application that already uses RoleManager to be claims aware.

“I have built an ASP.NET web application that authenticates its users using Forms Based authentication. I implemented authorization using built in ASP.NET RoleManager using SQL Server store for roles. We are migrating to federated authentication but we want to leave the code unchanged as much as possible. How to do it?”

The rest of the post walks through the steps of creating a sample application that uses RoleManager for authorization and then moving it to the Claims Aware application without altering the code while preserving the authorization role checks.

Prerequisites

Summary of steps

  • Step 1 - Create ASP.NET Web Application That Uses RoleManager
  • Step 2 - Create Custom Claims Aware ASP.NET RoleManager
  • Step 3 – Configuring ASP.NET Web Application to Use Custom Claims Aware ASP.NET RoleManager
  • Step 4 – Configure Role Claims In Your Security Token Service (STS)
  • Step 5 – Configure ASP.NET Web Application for Federated Authentication
  • Step 6 – Test Your Work

Step 1 - Create ASP.NET Web Application That Uses RoleManager

  1. Open Visual Studio 2010 as Administrator.

  2. Create ASP.NET Web Application. Name it, for example, IsUserInRoleWithClaims.

  3. Add default.aspx page to the project.

  4. In the Project menu click on ASP.NET Configuration option.

  5. Internet Explorer should open ASP.NET Web Site Administration Tool.

  6. Click on the Provider tab.

  7. Choose radio button next to AspNetSqlProvider and click on Test link.

  8. In case of successful test you should see “Successfully established a connection to the database.” message. Click on OK to discard it.

  9. Click on Security tab in ASP.NET Web Site Administration Tool.

  10. Click on Create User link in the Users section.

  11. Provide the information in the Create User form and click Create User button.

  12. In case of success you should see “Complete Your account has been successfully created.” message.

  13. Click on Security tab.

  14. Click on Enable Roles in Roles section.

  15. Click on Create or Manager Roles link in Roles section.

  16. Specify Administrator in the New role name textbox and click on Add Role button.

  17. Open we.config and add the entry under <system.web> to deny anonymous users:

    <authorization>
      <deny users="?"/>
    </authorization>

  18. Open Default.aspx.cs file.

  19. Add the following using statement:

using System.Web.Security;

  1. Add code that returns the roles of the current user in Page_Load event:

    string[] roles = Roles.GetAllRoles();

  2. Set breakpoint on this line and run the application pressing on F5 button.

  3. You should be presented with the login page – provide credentials of the user you configured previously.

  4. In case of successful login you will hit the break point

  5. Look at the roles string array and its contents, it should have Administrator in it.

Step 2 - Create Custom Claims Aware ASP.NET RoleManager

  1. Add new Class Library project and give it a name, for example, ClaimsRoleProvider.

  2. Add reference to System.Web assembly.

  3. Add reference to System.Web.ApplicationServices assembly.

  4. Add reference to Microsoft.IdentityModel assembly.

  5. Add reference to System.Configuration assembly.

  6. Add new Class to the project and give it a name, for example, MyClaimsRoleProviderImplementation

  7. Add the following using declarations:

    using System.Web.Security;
    using Microsoft.IdentityModel.Claims;
    using System.Web;

  8. Derive MyClaimsRoleProviderImplementation class from RoleProvider

  9. Add the following implementation to the GetAllRoles method (adopted from Eugenio’s post):

    var id = HttpContext.Current.User.Identity as IClaimsIdentity;
    return (from c in id.Claims
            where c.ClaimType == ClaimTypes.Role
            select c.Value).ToArray();

  10. Build the class library.

Step 3 – Configuring ASP.NET Web Application to Use Custom Claims Aware ASP.NET RoleManager

  1. Copy ClaimsRoleProvider.dll into IsUserInRoleWithClaims bin folder.

  2. Open web.config file.

  3. Add the following section under system.web section:

    <roleManager enabled="true" defaultProvider="MyClaimsRoleProvider">
      <providers>
        <clear />
        <add name="MyClaimsRoleProvider" type="ClaimsRoleProvider.MyClaimsRoleProviderImplementation, ClaimsRoleProvider"/>
      </providers>
    </roleManager>

  4. Add the following configuration to the system.web section, review this article for more information - Windows Identity Foundation (WIF) - A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").

    <httpRuntime requestValidationMode="2.0"/>
    <pages validateRequest="false"/>

  5. Also, if you are using development IIS (Cassini, the one that ships built in with Visual Studio) then you need to copy contents of the <modules> section into <httpModules> section under system.web.

Step 4 – Configure Role Claims In Your Security Token Service (STS)

I will be using SelfSTS as a test platform for my experiment. But it can be accomplished with any Security Token Service such as ADFS v2.0 or Azure AppFabric Access Control Service (ACS) v2. SelfSTS is not intended for production use.

  1. Download and run SelfSTS.exe.
  2. After SelfSTS is started and running click on Edit Claim Types and Values button.
  3. On the Edit Claims windows click on Add button.
  4. Specify Claim Type as https://schemas.microsoft.com/ws/2008/06/identity/claims/role.
  5. Specify Claim Name as Role.
  6. Specify Claim Value as Supervisor.
  7. Click on Save button.
  8. Click on green Start button – it should turn red.
  9. Copy the URI in the Metadata text box, it should look similar to the following https://localhost:8000/STS/FederationMetadata/2007-06/FederationMetadata.xml. You will be using it in the next step.

Step 5 – Configure ASP.NET Web Application for Federated Authentication

  1. Right click on the IsUserInRoleWithClaims web project in Solution Explorer and click on Add STS Reference... option to run FedUtil tool’s wizard.
  2. In the Application URI’s specify your application URL, mine is https://localhost:65060/ and click Next button. Click Yes to discard the warning. NOTE, this option is not suitable for production deployment. Click
  3. On the Security Token Service page paste the URI from the previous step (4.9) and click Next button. Click Yes to discard the warning.
  4. Click Next on STS signing certificate chain validation error page.
  5. Click Next on Security token encryption page.
  6. Verify Role claim is listed on the Offered claims page and click Next button.
  7. Click Finish button on Summary page.

Step 6 – Test Your Work

  1. Open Default.aspx.cs file and verify there is a breakpoint set on the Roles.GetAllRoles() method call.
  2. Press F5 button to start the application.
  3. You should hit the breakpoint – look at the roles string array, it should contain Supervisor value.