page_type: sample languages:
This sample shows how to build a .Net MVC web application that uses WS-Federation to sign-in users from a single Azure Active Directory tenant, using the ASP.Net WS-Federation OWIN middleware.
The use of WS-Federation is appropriate when you want to maintain a single app codebase that can be deployed either against Azure AD or an on-premises provider such as an Active Directory Federation Services (ADFS) instance. For scenarios in which the app targets exclusively Azure AD (or an OpenID Connect compliant provider) please refer to the WebApp-OpenIdConnect-DotNet sample.
For more information about how the protocols work in this scenario and other scenarios, see Authentication Scenarios for Azure AD.
Getting started is simple! To run this sample you will need:
From your shell or command line:
git clone https://github.com/Azure-Samples/active-directory-dotnet-webapp-wsfederation.git
https://localhost:44320/
. Click on Create to create the application.https://<your_tenant_name>/WebApp-WSFederation-DotNet
, replacing <your_tenant_name>
with the name of your Azure AD tenant. Make sure to remember this value, as you will need it later on when configuring your app in Visual Studio.web.config
file.ida:Tenant
and replace the value with your AAD tenant name.ida:Wtrealm
and replace the value with the App ID URI from the Azure portal.You know what to do!
Click the sign-in link on the homepage of the application to sign-in. On the Azure AD sign-in page, enter the name and password of a user account that is in your Azure AD tenant.
Coming soon.
This sample shows how to use the WS-Federation ASP.Net OWIN middleware to sign-in users from a single Azure AD tenant. The middleware is initialized in the Startup.Auth.cs
file, by passing it the App ID URI of the application and the URL of the Azure AD tenant where the application is registered. The middleware then takes care of:
You can trigger the middleware to send a WS-Federation sign-in request by decorating a class or method with the [Authorize]
attribute, or by issuing a challenge,
HttpContext.GetOwinContext().Authentication.Challenge(
new AuthenticationProperties { RedirectUri = "/" },
WSFederationAuthenticationDefaults.AuthenticationType);
Similarly you can send a signout request,
HttpContext.GetOwinContext().Authentication.SignOut(
WSFederationAuthenticationDefaults.AuthenticationType,
CookieAuthenticationDefaults.AuthenticationType);
All of the OWIN middleware in this project is created as a part of the open source Katana project. You can read more about OWIN here.
App_Start
folder, create a class Startup.Auth.cs
. You will need to remove .App_Start
from the namespace name. Replace the code for the Startup
class with the code from the same file of the sample app. Be sure to take the whole class definition! The definition changes from public class Startup
to public partial class Startup
.Startup.Auth.cs
resolve missing references by adding using
statements for Owin
, Microsoft.Owin.Security
, Microsoft.Owin.Security.Cookies
, Microsoft.Owin.Security.WSFederation
, System.Configuration
, and System.Globalization
.Startup.cs
.Startup.cs
, replace the code for the Startup
class with the code from the same file of the sample app. Again, note the definition changes from public class Startup
to public partial class Startup
.Views
--> Shared
folder, create a new partial view _LoginPartial.cshtml
. Replace the contents of the file with the contents of the file of same name from the sample.Views
--> Shared
folder, replace the contents of _Layout.cshtml
with the contents of the file of same name from the sample. Effectively, all this will do is add a single line, @Html.Partial("_LoginPartial")
, that lights up the previously added _LoginPartial
view.AccountController
. Replace the implementation with the contents of the file of same name from the sample.HomeController
, decorate the HomeController
class with the [Authorize]
attribute. If you leave this out, the user will be able to see the home page of the app without having to sign-in first, and can click the sign-in link on that page to get signed in.web.config
, in <appSettings>
, create keys for ida:Wtrealm
, ida:AADInstance
, and ida:Tenant
and set the values accordingly. For the public Azure AD, the value of ida:AADInstance
is https://login.microsoftonline.com
.