Using a Security Token Service with an ASP.NET Application | Pluralsight

SharePoint 2010 Security Part 2 | http://www.pluralsight-training.net/m...

Want to learn how to hook up a Windows Identity Foundation based security token service to an ASP.NET 4.0 application? In this video excerpt from Sahil Malik's new course SharePoint 2010 Security Part 2, you'll see how to do just that as a precursor to establishing your own sophisticated claims based security for a SharePoint 2010 site. In the full course Sahil covers other topics such as using the WIF SDK, using Azure ACS with SharePoint 2010, and even signing into SharePoint with a Yahoo ID.

Visit us at:
Facebook: https://www.facebook.com/pluralsight
Twitter: https://twitter.com/pluralsight
Google+: https://plus.google.com/+pluralsight
LinkedIn: https://www.linkedin.com/company/plur...
Instagram: http://instagram.com/pluralsight
Blog: http://blog.pluralsight.com/

3,500 courses unlimited and online. Start your 10-day FREE trial now: https://www.pluralsight.com/a/subscri...

Security Token Service with an ASP.NET Application | Pluralsight

-~-~~-~~~-~~-~-
Push your limits. Expand your potential. Smarter than yesterday-
https://www.youtube.com/watch?v=k2s77...
-~-~~-~~~-~~-~-

---

Closed Caption:

I saying every extension is not enabled
on this to your table
of course I want to use dark night for
so that should be fine
let's go ahead and save it you come in
here you see these files appear over
here this is my SDS ready to go now I'm
going to target this web application
this web application i'm going to go
ahead and make sure that it starts to
use this sts so how do i do that i'm
going to right click add STS reference
and I forcing the application you are in
other words what is the URL that this
application is going to run on
so in order to get that i'll simply go
ahead and run the application as is
localhost 18 or 28 right that's the
application your ass and let me go ahead
and copy this now if you were doing this
for sharepoint the application you are
obviously would be different and the
steps would be slightly different too
but let's let's let's address that in a
minute let's make sure that our SDS is
working so i'm going to go ahead and
type an application you are right here
hit next and says the application is not
https you want to continue generally
speaking that you know https everything
honestly that is the guidance going
forward https everything there's very
little downside and https stuff and
especially when you're working with
claim that separate even though the Fred
our cookie and the tokens themselves are
encrypted there is really no downside to
https in the entire tunnel so generally
you should https it but it's just
development environment i'm just going
to yes here i'm gonna say use an
existing SDS and here i need to point it
to the Federation metadata our xml file
which lives inside of here you can also
download this directly using the HTTP
URL if you were to actually examine this
web config you will see that you can
simply download it its authorization is
set to all users but i'm just going to
go ahead and browse it off of the disc
is a perfectly valid way of doing it
I'm gonna hit next now i'm going to go
ahead and enable encryption for the
tokens and the reason is because the
tokens that the SDS is issuing are
encrypted so think of it this way that
this SDS has a certificate when I
generated this project it generated a
certificate for me and it registered
that at the appropriate locations inside
of windows so the tokens are going to be
encrypted so in order to be able to
decrypt them i have to use encryption so
i'm going to choose an existing
certificate from store
select start and this is the cert that
was generated for me now if you want to
use our different start this is this
sort of the need to be issued by a very
sign or one of these internet
authorities but does need to be a valid
sort of the public/private key pair
because it the public/private key is
available over here so the SDS can
encrypt Bart the relying party needs to
be able to decrypt so whatever I'm doing
here for asp.net by selecting this I
basically made the public part of the
sort available to the asp.net
application you will have to do an
equivalent of this step for sharepoint
as well right
so all of these steps that you do for
asp.net there are equivalent steps that
you need to do for sharepoint and but
the how you do the steps it slightly
different you do them with powershell
description will see those very very
shortly as well I mean it next
these are the claims that are being
issued by the SDS air i'm gonna choose
to consume both I'm gonna hit next and
this is typically you would do this for
internet-facing cited for production
sites but I'm just gonna ignore that I'm
gonna hit finish and it ok now i'm going
to go ahead and run this and let's see
what happens
so it's giving me this assertion because
it is redirecting to the SDS the SDS
we're just using a simple development
certificate here so it's not a valid
search so internet explorer saying that
this is not a valid sir
well we know that in in a real-world
environment this certificate here would
be trusted by a very sign or your
internal trust or but i'm just going to
go ahead and it continued to this
website is just a development
environment
I'm going to continue to this website
and what I'm hoping to see there you go
this page is being rendered by the SDS
and that's very interesting because if
you were to examine or has been sent to
the SDS in the URL you'll see a number
of interesting things are going to go
through all of these but in general it
sends think things like the round that
is who the like party is the time and a
bunch of other things like that
guarantee the security of this so even a
replay can are you know recreate the
search the the logic of this SDS is that
any user name that you enter in here is
considered a valid user that's basically
you can make this logic more interesting
the SDS is just an eight speed art nap
theoretically you could put in I don't
know face recognition over here if you
wanted to
i'm going to go ahead and hit submit and
I get a matter the reason I'm getting
this adder is because there has been a
new check that has been added in asp.net
for daughter to prevent cross-site
scripting attacks so you can disable the
form is checking over him or you can add
a custom request Valley data I'm going
to go ahead and add a custom request
validator into my project how to add a
custom request validator I ran into my
asp.net application i went ahead and
added a plus in here right in this class
I'm going to go ahead and write some
interesting curve this cord
put simply basically says every request
is ok right you can make this more fancy
if you want like you can check with a
redirect is coming from if it is the SDS
look in a certain manner you can go
ahead and allow that request of the race
but i just made it really simple
in order for me to be able to resolve
these Sarah still signs i have to go
ahead and
add a reference i have to add a
reference to Microsoft our identity
model let's look for Microsoft our
identity models i'm adding this
reference into my project here
asp.net project and this will allow me
to add this using Microsoft RI ng model
of protocols are ws-federation and the
request validation source is system .
webpart you tell so it looks like most
of my project is compiling accept this
thing here because i forgot to inherit
from a base class called request
validator after missing key this is how
you write a request validator so I've
written request validator the obvious
next question is how do i plug this in
to the asp.net pipeline go to our back
configure and look for system . web and
here I'm gonna say HTTP runtime is a
request validation type is equal to
$OPERAND and here i'm going to go ahead
and type in the type of this request
validator so that's basically it
i'm going to go ahead and run this
application try and log into the sts
which issues the claims and looks like
i'm able to login let's just verify that
i'm actually getting the claims inside
of this application here so i'm going to
go into the court behind of this default
aspx and i'm going to say let's see i'm
gonna say using Microsoft our identity
model and i'm going to say let's say
claims claims identity identity is equal
to sister
our threading dark thread . current
principal our identity as claims
identity if identity is not equal to
know
so in other words if indeed we get a
claims identity back not a windows
identity for instance remember if this
was dr. 45 it will always be a claims
identity right but we're still working
in dark net for so we're going for each
I'm gonna say claim claim in identity .
claims and i'm going to say response
response . right let's see claimed our
claim tight plus claim our claim . value
let's go ahead and run this and just to
make sure that this is actually working
i'm going to go into the app cord
directory of localhost 81 and will open
this file for custom security token
service starts es again this is not a
with course of not going into the
details of how this project works but in
very very short this method here is what
is responsible for issuing the claims so
just to be cool i'll go ahead and add a
new claim here called email and the
reason I'm doing that is a misconception
hello Malik at wynn smartstart com
so basically what i'm doing here is i'm
issuing a claim here and this is
important because sharepoint wants to
have an ID and an email or it needs to
have an ID that is recognized as a
unique ID the simplest way for
sharepoint to be able to work with sts
is that if it issues both name and email
the role is not necessary for sharepoint
is nice to have but not necessary but
the name and email are nice are almost
required so I'm going to issue these two
claims i'm going to go ahead and run
this and let's go ahead and login
and you see that the claims are being
issued their i guess i can format is
better but you can see that the first
claim is Adam Carter the next one is of
type role manager and the third one is
email address with us with the value
that we put in there
simple as that