WIF 4.5: Database Authentication

I have started looking into using WIF 4.5 in our projects to replace our old security behaviour. It was a simple Forms Authentication login page, in which we verify the username/password in the database. This was our authentication behaviour.

I'm doing ASP.NET applications.

Now with WIF, I understand that authentication behaviour should be done by an external STS (Azure, or Active Directory). However I still want to perform my own validation of a username/password in a database, but I am unsure if I can/should do this with WIF.

Here are my questions:

1) Should I make my own STS, or use some other means? 2) Can I keep the authentication to "Forms" in my config file. or should I use some other configuration?

Thanks!


1) yes, you should have your own sts or use an existing one. Writing one is difficult if you do it for the first time but easy every other time then. I wrote a detailed tutorial once, it is for wif 4 but should be easy to port to wif 4.5.

http://www.wiktorzychla.com/2011/08/quest-for-customizing-adfs-sign-in-web.html

2) yes, you can use forms authentication for both sts and your application, however, since forms has numerous subtle issues, it is recommended to use SessionAuthenticationModule to maintain user sessions.

http://www.wiktorzychla.com/2011/08/quest-for-customizing-adfs-sign-ing-web.html

http://www.wiktorzychla.com/2012/09/forms-authentication-revisited.html

Switching to SAM doesn't usually involve other changes in your application if you rely on common authentication and authorization mechanisms (web forms authorization, mvc authorization filters).


Yes - you can do it with WIF but you can't use ADFS which only authenticates against AD.

Suggest you look at Thinktecture.IdentityServer.

It's an open-source STS (so you can make changes) and authenticates against a SQL DB.

链接地址: http://www.djcxy.com/p/71782.html

上一篇: 在asp.net mvc中身份验证SAML2(P?)令牌

下一篇: WIF 4.5:数据库认证