Abstracting OpenID Connect Idp behind a Windows Identity Foundation STS

 

Premise: I have an infrastructure where we have a custom RP-STS implemented with Windows Identity Foundation, providing SSO for a few websites. This STS communicates with the sites via WSFederation. This custom STS is about to be deprecated because the organization is adding an Open ID Connect Idp into the infrastructure.

The websites themselves (Episerver) contain all the custom made authorization logic already based on the claims the STS provides, and if we were to simply toss the STS we'd have to replace all of this logic.

Question: What is the browser redirect flow to integrate our RP-STS to the openId connect provider in such a way that the end user browser gets a session for both our RP STS and the Open Id Connect IdP?

Personal thinking on how it might be doable (based on massive assumptions on how openid connect works), skip this if you know how to answer:

  • Website sends HTTP post to RP-STS containing username/password
  • RP STS responds to browser with redirect to OpenId Connect Idp (Redirect contains username / password, and a replyto address is set to the RP STS)
  • OpenId Connect Idp creates a local session (???) and responds with a redirect to RP STS, redirect contains auth_token. (I'm unsure of the parts that go into an openid connect login flow)
  • RP STS receives user token and gets / asks for user data, builds claims and builds local session
  • RP STS sends claims in SAML token via WSFed to RP site

    • Am I even close?

    Further clarification:

  • I do not want to remove the existing STS, but abstract the new infrastructure change behind it so that from the end-user-sites perspective, identity objects and authorization logic will remain unchanged.
  • I need help specifically in seeing if the login/logout flow is doable between the STS and the Open ID Connect IDP

    • WIF and OpenID Connect are completely different protocols eg WIF is mainly browser based in the passive profile. The token types are different - SAML and JWT etc.

    The way to do this is via OWIN (Katana is the Microsoft implementation). There are NuGet packages for both WS-Fed and OpenID Connect.

    There are samples available for Azure AD - refer Microsoft Azure Active Directory Samples and Documentation that you could use as a guide.

    OWIN would allow you to use both protocols.

    In fact, have a look at IdentityServer3.

    This is an open source STS implementation of both.

    链接地址: http://www.djcxy.com/p/71786.html

    上一篇: MVC中的AJAX超时问题

    下一篇: 在Windows Identity Foundation STS后面摘录OpenID Connect Idp