Customizing Identity Server

[NatalCoder1]

Hi,

Is it possible to change the username that the Identity Server gives to the relying party?

[leastprivilege]

Yes - in IClaimsRepository

http://leastprivilege.com/2013/05/17/customizing-identityserver/

[NatalCoder1]

Yeah.. I tried that. I modified some code in ProviderClaimsRepository.cs under Core.Repositories. Is it possible to modify User's Identity?

[leastprivilege]

Whatever the claims provider returns - will be put in the outgoing token.

[NatalCoder1]

Thanks for the reply. So If I add a new claim to the userClaims, when the token reaches the relying party, how do I extract it? Does it go under Request.LoginUserIdentity.Claims? or somewhere else?

[leastprivilege]

ClaimsPrincipal.Current.Claims

[NatalCoder1]

Thanks again. When I passed the customized userclaims to the relying party, it executed successfully. But when I add another relying party to IdentityServer, it is passing the same token to the second relying party as well. When the user is already authenticated, does it not do any claims transformation?

[leastprivilege]

IClaimsRepository is called every time a token is created. In there you have all information to decided which claims should go to which relying party.

[NatalCoder1]

Yes. It is being called every time. But the requestDetails variable in ProviderClaimsRepository.cs is not getting updated. Any help in getting the current relying party's Id? I used this requestDetails variable to query against the database to get the current relying party's id, but it is not working. (requestDetails.Realm)

[NatalCoder1]

When I click on second relying party, identity server is not issuing a new token. The control is not reaching to IClaimsRepository. Can you please let me know the flow of the application? (what is called first, and what is next... etc..)

[leastprivilege]

RequestDetails has a RelyingParty property - which already has the RP information.

Not sure why your IClaimsRepository is not called. Put breakpoints into the WsFed controller and the TokenService class.

[NatalCoder1]

Yeah.. I have put the break points in the program and analyzed it and it was not called for the next relying party (not even WsFed). But what I observed from Fiddler is this, the first application is as usual redirected to the IdentityServer, but when I click on the second application, the browser is instantaneously authenticating it without actually redirecting it to the IdentityServer and displaying the homepage of the second application and with the same claims as that were passed to the first application. Since the browser already has a token from IdentityServer, is it using that token to authenticate the second application? How do I fix this, Dominick?

[leastprivilege]

Sounds like your both apps share the fedauth cookie somehow. You can set explicit names for the cookies in the local web.configs (cookieHandler section IIRC).

[NatalCoder1]

Thank You very much! :) I just have one more thing left to ask, Suppose a user wants to send a customized claim to the application which is not previously stored in the database (may be adding a new claim) which requires to take the input from the user before or just after authenticating him. Is there a way for the server to interact with the user?

[leastprivilege]

Well - you can change the source code ;)

WebSite/Controllers/AccountController.cs -> SignIn method would be the right starting point

[NatalCoder1]

Yeah.. that sounds good! But what if, the server first checks for that claim in the database, and if it finds a null, then prompts the user to enter the value? Like, there is a claim called 'favorite color' in user claims, when issuing a token, the server checks for his favorite color in the database and if it finds a null value for that user, it prompts the user to enter his favorite color and then add it to the claims sent to the application? I guess, this should be done in IClaimsRepository (ProviderClaimsRepository.cs). How can this be done?

[leastprivilege]

Well - the claims repository is called way too late in the processing pipeline. You would need to do the database checks directly in the UI. You could also add additional claims to the token by adding them from the UI controllern (see the comments in the SignIn action method):

[NatalCoder1]

If the user is already authenticated (he clicks on the second relying party and that customized claim is missing), then the control won't reach here, right? Then how do I pass that additional claim?

[leastprivilege]

The i guess you need to modify the ws-federation controller to show a view when necessary

[NatalCoder1]

Yes! I can add claims in ws-federation controller, but I'm still unable to return the view here (so that the user can input the value)!

'cause my views are in "WebSite" and the WSFederationController is in "IdentityServer.Protocols"

[leastprivilege]

That's standard MVC stuff - I don't have the time right now - but you'll figure it out!

[leastprivilege]

I'll close that for now. Open a new thread with a more specific topic when you have questions. thanks!

[NatalCoder1]

Thank you very much for your help! :)